Bug 1478154

Summary: getcert (ipa-getcert) ignores -X
Product: [Fedora] Fedora Reporter: Michael Voetter <mikevo>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: abokovoy, ftweedal, ipa-maint, jcholast, jhrozek, mharmsen, nalin, pvoborni, rcritten, ssorce, tkrizek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.79.4-1.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-31 15:55:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Voetter 2017-08-03 18:26:02 UTC 
Description of problem:
The getcert (ipa-getcert) seems to ignore the -X option. It always requests for the main CA (ipa) instead of the specified sub-CA (vpn).


Version-Release number of selected component (if applicable):
Client:
  Fedora 26

  ipa --version
  VERSION: 4.4.4, API_VERSION: 2.215

  certmonger.x86_64                  0.79.3-1.fc26
  freeipa-client.x86_64              4.4.4-4.fc26

Server:
  CentOS Linux release 7.3.1611 (Core)

  ipa --version
  VERSION: 4.4.0, API_VERSION: 2.213

  certmonger.x86_64                   0.78.4-3.el7
  ipa-server.x86_64                   4.4.0-14.el7.centos.7

How reproducible:
Request a certificate for the host.

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caVPNhostCert -X vpn

Actual results:
status: CA_REJECTED
ca-error: Server at https://<ipa server fqdn>/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Principal 'host/<hostname>@<REALM>' is not permitted to use CA 'ipa' with profile 'caVPNhostCert' for certificate issuance.).

...

CA: IPA
issuer: 


Expected results:
status: MONITORING

...

CA: IPA
issuer: CN=VPN CA,O=<REALM>


Additional info:
The same command works on CentOS Linux release 7.3.1611 (Core) clients. 

It is also possible to issue a certificate for the "rejected principal" in the web ui of the ipa server where I can select the correct sub-CA.
Comment 1 Rob Crittenden 2017-08-04 20:31:11 UTC 
I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64)

On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN.

I requested a cert similar to the reporter, just using the standard profile:

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn

And the subject is correct.

I did the same in an enrolled Fedora 26 client and the subject is from the primary CA.

The problem is:

[Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca

The correct option is cacn.

AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21

A patch that fixes this is in RHEL but apparently was never merged upstream.
Comment 2 Rob Crittenden 2017-08-08 00:37:44 UTC 
Fixed upstream:

https://pagure.io/certmonger/c/e3fb587c5911efbef1d1bb8738f109886a8a11a4?branch=master
Comment 3 Rob Crittenden 2017-08-08 14:38:32 UTC 
Submitted to updates-testing, https://bodhi.fedoraproject.org/updates/certmonger-0.79.4-1.fc26