Bug 1466786

Summary: ipa-cacert-manage cannot change external to self-signed ca cert
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: pvoborni, rcritten, slaznick, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-01 21:07:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/message none

Description Mohammad Rizwan 2017-06-30 12:50:22 UTC 
Description of problem:
I'm trying to change the ca cert from external signed to self-signed. But its failing and error can be shown as below:

[root@ipa-master ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20170630120302', please check the request manually
The ipa-cacert-manage command failed.

[root@ipa-master ~]#  getcert list -i 20170630120302
Number of certificates and requests being tracked: 9.
Request ID '20170630120302':
        status: MONITORING
        ca-error: Updated certificate not available
        stuck: no
        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=External CA,O=EXTERNAL
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2017-09-30 12:00:32 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-20.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA with externally signed CA cert

ipa-server-install --ip-address ${IP} -r ${RELM} -p ${PASSWORD} -a ${PASSWORD} --setup-dns --forwarder ${FORWARDER} -U --external-ca

2.  Setup nssdb for external CA

    mkdir nssdb

    echo Secret.123 > nssdb/password.txt

    certutil -N -d nssdb -f nssdb/password.txt

3. Setup external ca

    openssl rand -out nssdb/noise.bin 2048

    ROOTCA_SKID="0x`openssl rand -hex 20`"

    echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" |  certutil -S  -d nssdb  -f  nssdb/password.txt  -z nssdb/noise.bin  -n "External CA"  -s "CN=External CA,O=EXTERNAL"  -x  -t "CTu,CTu,CTu"  -m $RANDOM -2  --extSKID  --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical

4.  export external CA chain
    
    certutil -L -d nssdb -n "External CA" -a > /tmp/external.crt

5. Sign the ipa.csr from external ca

    SUBCA_SKID="0x`openssl rand -hex 20`"

    SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"

    echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" |  certutil -C  -d nssdb  -f nssdb/password.txt  -m $RANDOM  -a -i /root/ipa.csr  -o /tmp/ca_signing.crt  -c "External CA"  -2 -3  --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical  --extAIA  --extSKID

6. Start Install and get Certificate Signing Request for externally signed CA

    ipa-server-install --ip-address ${IP} -r ${RELM} -p ${PASSWORD} -a ${PASSWORD} --setup-dns --forwarder ${FORWARDER} -U --external_cert_file=/tmp/ca_signing.crt  --external_ca_file=/tmp/external.crt

7. Check cert status for certs:
    
    getcert list | egrep "status|expires|Request|subject|ca-error"

8. renew the ca cert and change it to self-signed
  
    ipa-cacert-manage renew --self-signed

    
Actual results:

CA cert renewal is failing.


Expected results:
CA should renew successfully and changed to self-signed

Additional info:
error in /var/log/message  is attached.
Comment 2 Mohammad Rizwan 2017-06-30 12:52:56 UTC 
Created attachment 1293218 [details]
/var/log/message
Comment 3 Petr Vobornik 2017-07-28 15:59:30 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7075
Comment 5 Petr Vobornik 2017-09-01 21:07:25 UTC 

*** This bug has been marked as a duplicate of bug 1486283 ***