Bug 1404175

Summary: pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.3CC: alee, arubin, edewata, enewland, gkapoor, jpazdziora, ksiddiqu, mharmsen, mkolaja, mkosek, nkinder, pbokoc, pvoborni
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.3.3-15.el7_3 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: 1316653 Environment:
Last Closed: 2017-01-17 18:26:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1316653    
Bug Blocks:    

Description Marcel Kolaja 2016-12-13 09:26:34 UTC 
This bug has been copied from bug #1316653 and has been proposed
to be backported to 7.3 z-stream (EUS).
Comment 4 Geetika Kapoor 2016-12-19 11:15:16 UTC 
Test build:  pki-ca-10.3.3-16.el7_3.noarch

Performed the below mentioned testing.Please have a look if anything else also needs to be covered as part of this testing.

1. Install ipa-server-install
2. Create csr using openssl req -new -nodes -out host.csr
3. pki  ca-cert-request-profile-show caCACert --output template.xml
4. submit the csr to any externalCA .
Here i have used another dogtag CA to get the csr signed.

# pki -h <ip1 of CA> -p <http port of CA> ca-cert-request-submit template.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 49990004
  Type: enrollment
  Request Status: pending
  Operation Result: success

5. Make sure to include request type (either pkcs10 or crmf) and cert request fileds.

Case 1: If we don't include request type in template.xml we would hit below exception:

#pki  ca-cert-request-submit template.xml
PKIException: Unknown Certificate Request Type 

6. Try to approve the csr from the CA to which we have send the request.Below if the output once signed by CA.

# pki -h <ip1 of CA> -p <http port of CA ca-cert-request-show 49990004
------------------------------
Certificate request "49990004"
------------------------------
  Request ID: 49990004
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x5ffe0001

##############################################################################
Details of working template.xml::
##############################################################################

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <Attributes/>
    <ProfileID>caCACert</ProfileID>
    <Renewal>false</Renewal>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>certReqInputImpl</ClassID>
        <Name>Certificate Request Input</Name>
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            <Descriptor>
                <Syntax>cert_request_type</Syntax>
                <Description>Certificate Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICljCCAX4CAQAwUTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDENMAsGA1UEAwwEVGVzdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcITTHKipicCgA58PVPxalU
MVBCJTDaRrW4eaSRt3qgsDMhrZ34t8voQni0Pabfw7sp+lUtjUm1QJhmZhTyk8q2
1668KSM36jzbLq32XNdWdPtRTDdE9ahUHzm/uEraRfvlb7WkQIoJDYI9yhie7dr8
F/LKZ9LNRoYgjWUK7z3BDU2NMmb/AaZDnBNKUFB3XXi1QsLnSc/Sy4kakAcPVqf6
91mDToHfOQdLJ2/aiUyQ6jC4tkS/YJUQyPb0cUen7bFwsj6orKA30W5umw+J3Bxl
9TOuaffNR2/154hdoc8tmJqEMqJ/UX5PN5RtHTEtqNuceNda8QUpJjxMk1MxwFkC
AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAouE0d8LeP9BdYnTsq4JLSx2d9mT0U
/3pKhqyBNcwualUUAeUJcPuL7SXE6p65D5VyjnpyAY2Lov4XVDoA+zhGOtgimmT8
z1V/fwfaUNavkSRslgUyO9YMuXIB5dymRLoEm5iRV1C10q/NvsAImdb4oxf5s63w
lhsnzZPAdvMncP1TzskkeMAxX7ifU3vU97MY52gf5wzh9sO0Ex35pHGHgZ0HaFJ2
engvU09AW9cHJmALGXr9+/ZPYEpWtuMiRS9t/ZA02v5VNd6+RC9OJvl/lZcPtsBg
fZY1POP5GdKbuAfeJ5Vgsppv0i/lO5Sg4vGWkgDwHo6dmPXieSqBCACB
-----END CERTIFICATE REQUEST-----
</Value>
            <Descriptor>
                <Syntax>cert_request</Syntax>
                <Description>Certificate Request</Description>
            </Descriptor>
        </Attribute>
    </Input>
    <Input id="i2">
        <ClassID>submitterInfoInputImpl</ClassID>
        <Name>Requestor Information</Name>
        <Attribute name="requestor_name">
            <Value>Test</Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Name</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_email">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Email</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_phone">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Phone</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>
Comment 6 Jan Pazdziora (Red Hat) 2016-12-19 15:27:48 UTC 
I'm sorry -- what is the question?
Comment 7 Geetika Kapoor 2016-12-20 06:32:23 UTC 
hello Jan,

Based on this BZ comments and parent BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1316653), I have done the testing as mentioned in comment#4 and also i have verified the fix which is a man page fix for pki-cert.Man page now has below mentioned data:

<Man page pki-cert>

Depending  on  the  profile,  the  command may require authentication (see the profile configuration file).  The CLI currently supports
       client certificate authentication and directory-based authentication.

       Also depending on the profile, an agent may need to review and approve the request by running the following command:

       pki <agent authentication> ca-cert-request-review <request ID> --file <file to store the certificate request>

</Man page pki-cert>

I am from RHCS team and i try to cover best possible use cases.If you could share your inputs and  you have any other test case which is valid for IPA, I can cover that as part of this testing.

Thanks
Comment 8 Jan Pazdziora (Red Hat) 2016-12-20 08:08:04 UTC 
I don't have any insights -- I've just followed the man page in bug 1316653 comment 0 and it failed. If you were able to reproduce the failure with the version and steps from that bugzilla, and new version either has fixed man page, behaviour, or both, ideally pointing the user how do submit the request, that's all that is needed.
Comment 9 Geetika Kapoor 2016-12-20 09:39:50 UTC 
Hello Jan,

According to Endi's  comment #4 (https://bugzilla.redhat.com/show_bug.cgi?id=1316653), we don't use profile "caInstallCACert" because it is internal.
In place of that, we can use profile "caCACert" .Using this profile, We are able to submit request to this profile and approve also. 
man pages are modified to reflect changes.
More details about different profiles usage and submitting request is provided here on this wiki
"http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles"

Thanks
Geetika
Comment 11 errata-xmlrpc 2017-01-17 18:26:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0093.html