Bug 1455054

Summary: ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option
Product: Red Hat Enterprise Linux 8 Reporter: Mohammad Rizwan <myusuf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: low    
Version: 8.0CC: pasik, pcech, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 14:15:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mohammad Rizwan 2017-05-24 07:36:04 UTC
Description of problem:
ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option. If executed command with non-existing file, invalid file etc, it doesn't through any error.

Version-Release number of selected component (if applicable):

[root@bkr-hv01-guest30 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.5.0-13.el7.x86_64
ipa-client-4.5.0-13.el7.x86_64
389-ds-base-1.3.6.1-14.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install replica on the system (ipa-replica-install -P admin - w Secret123)

2. Install CA with following scenario:

   a) ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=

   b) ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt #no file as abc.crt

   c) ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt  #abc.crt blank file

Actual results:

[root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records


[root@hp-bl420cgen8-01 pki]# cat abc.crt
-----BEGIN CERTIFICATE-----
sdnmsdkfbsdifbsdbasdsdSDDDasdmnd
-----END CERTIFICATE-----


[root@cisco-e160dp-01 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.txt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
                                                                                
[root@cisco-e160dp-01 ~]# cat abc.txt
afdjskfjhsfkhsfkjsfADDAaasd
sdkfjsfkjshfklsjhfsljdfhsdf
sdlfdlkjfdsalkjfhldsahflahf
lkjfsalfhdalfkhfdhlajfadfjd
[root@cisco-e160dp-01 ~]#

[root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@hp-bl420cgen8-01 pki]#
[root@hp-bl420cgen8-01 pki]# cat abc.crt #blank file
[root@hp-bl420cgen8-01 pki]#

[root@bkr-hv03-guest22 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt   #no file as abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@bkr-hv03-guest22 ~]# ll
total 60
-rw-------. 1 root    root    20278 May 23 06:31 anaconda-ks.cfg
-rw-r--r--. 1 pkiuser pkiuser 10362 May 23 09:10 cacert.p12
-rw-r--r--. 1 root    root        4 May 23 06:30 NETBOOT_METHOD.TXT
-rw-------. 1 root    root    19724 May 23 06:31 original-ks.cfg
-rw-r--r--. 1 root    root        8 May 23 06:30 RECIPE.TXT

without a .crt file

[root@bkr-hv03-guest19 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@bkr-hv03-guest19 ~]#

                                                                           

Expected results:
It Should throw std error like Invalid certificate file or No certificate file is specified etc.

Additional info:

Comment 2 Petr Vobornik 2017-05-24 08:25:01 UTC
--external_cert_file option in ipa-ca-install is used for upgrading CA-less setup to setup with CA. 

In other cases, this option is ignored and thus probably misses validation. A bug but I'd say with lower priority.

Comment 3 Petr Vobornik 2017-05-26 10:54:53 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6985

Comment 6 Rob Crittenden 2019-02-18 19:50:48 UTC
I'm inclined to close this as not a bug.

This is the equivalent of setting it to nothing, which is the default anyway, so it is just a superfluous option. It is a no-op so I don't think we should throw an error.

Comment 7 Florence Blanc-Renaud 2019-06-19 07:41:20 UTC
RHEL-7.7 is already near the end of a Development Phase and development is being wrapped up. I am bulk-moving to RHEL 8 the Bugs which were already triaged, but to which we did not commit (without devel_ack) and we cannot keep them even as a stretch goal for RHEL-7.7.

If you believe this particular bug should be reconsidered for 7.7, please let us know.

Comment 10 Petr Čech 2020-11-30 14:15:37 UTC
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team