Bug 1455054
| Summary: | ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.0 | CC: | pasik, pcech, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-30 14:15:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
--external_cert_file option in ipa-ca-install is used for upgrading CA-less setup to setup with CA. In other cases, this option is ignored and thus probably misses validation. A bug but I'd say with lower priority. Upstream ticket: https://pagure.io/freeipa/issue/6985 I'm inclined to close this as not a bug. This is the equivalent of setting it to nothing, which is the default anyway, so it is just a superfluous option. It is a no-op so I don't think we should throw an error. RHEL-7.7 is already near the end of a Development Phase and development is being wrapped up. I am bulk-moving to RHEL 8 the Bugs which were already triaged, but to which we did not commit (without devel_ack) and we cannot keep them even as a stretch goal for RHEL-7.7. If you believe this particular bug should be reconsidered for 7.7, please let us know. This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome! Thank you for understanding Red Hat Enterprise Linux Identity Management Team |
Description of problem: ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option. If executed command with non-existing file, invalid file etc, it doesn't through any error. Version-Release number of selected component (if applicable): [root@bkr-hv01-guest30 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.5.0-13.el7.x86_64 ipa-client-4.5.0-13.el7.x86_64 389-ds-base-1.3.6.1-14.el7.x86_64 pki-ca-10.4.1-4.el7.noarch krb5-server-1.15.1-8.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Install replica on the system (ipa-replica-install -P admin - w Secret123) 2. Install CA with following scenario: a) ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file= b) ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt #no file as abc.crt c) ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt #abc.crt blank file Actual results: [root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@hp-bl420cgen8-01 pki]# cat abc.crt -----BEGIN CERTIFICATE----- sdnmsdkfbsdifbsdbasdsdSDDDasdmnd -----END CERTIFICATE----- [root@cisco-e160dp-01 ~]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.txt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@cisco-e160dp-01 ~]# cat abc.txt afdjskfjhsfkhsfkjsfADDAaasd sdkfjsfkjshfklsjhfsljdfhsdf sdlfdlkjfdsalkjfhldsahflahf lkjfsalfhdalfkhfdhlajfadfjd [root@cisco-e160dp-01 ~]# [root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@hp-bl420cgen8-01 pki]# [root@hp-bl420cgen8-01 pki]# cat abc.crt #blank file [root@hp-bl420cgen8-01 pki]# [root@bkr-hv03-guest22 ~]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt #no file as abc.crt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@bkr-hv03-guest22 ~]# ll total 60 -rw-------. 1 root root 20278 May 23 06:31 anaconda-ks.cfg -rw-r--r--. 1 pkiuser pkiuser 10362 May 23 09:10 cacert.p12 -rw-r--r--. 1 root root 4 May 23 06:30 NETBOOT_METHOD.TXT -rw-------. 1 root root 19724 May 23 06:31 original-ks.cfg -rw-r--r--. 1 root root 8 May 23 06:30 RECIPE.TXT without a .crt file [root@bkr-hv03-guest19 ~]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file= Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@bkr-hv03-guest19 ~]# Expected results: It Should throw std error like Invalid certificate file or No certificate file is specified etc. Additional info: