Bug 1493541
| Summary: | ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.4 | CC: | frenaud, ndehadra, pasik, pvoborni, rcritten, ssidhaye, tmihinto, tscherf | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.6.5-1.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1658313 1659511 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:09:02 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1658313, 1659511 | |||
|
Description
Thorsten Scherf
2017-09-20 12:41:23 UTC
Upstream ticket: https://pagure.io/freeipa/issue/7200 Fixed upstream master: https://pagure.io/freeipa/c/52c3c908756b5af3e09e8d359d11c0279f393245 https://pagure.io/freeipa/c/a2301538370dc33797959bc1d7bab0c908fccf3e Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/940755e37b06ea95c32abd056277da19fb05ed3e https://pagure.io/freeipa/c/ffa04a1862be198b9e1a5f6205d1ae0909ac5a4d ipa-4-6: https://pagure.io/freeipa/c/c5b0874a1d257a5b26e6d6f2824845ac8cf2533f https://pagure.io/freeipa/c/7f653a02bb125f4158e104e0a7b6b192f9961d53 Upstream test added: ipatests/test_integration/test_pkinit_manage.py Build used for verification: [root@idm-qe-01 ~]# rpm -qa ipa-server ipa-server-dns ipa-server-4.6.5-8.el7.x86_64 ipa-server-dns-4.6.5-8.el7.noarch Steps: 1. Install master with --no-pkinit option 2. ipa-getcert list 3. ipa-pkinit-manage status 4. ipa-pkinit-manage --verbose enable 5. ipa-getcert list 6. ipa-pkinit-manage status Actual Results: root@idm-qe-01 ~]# ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20190515100056': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-05-15 10:00:56 UTC dns: master.testrelm.test principal name: ldap/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST track: yes auto-renew: yes Request ID '20190515100128': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-05-15 10:01:29 UTC dns: master.testrelm.test principal name: HTTP/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes [root@idm-qe-01 ~]# ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful [root@idm-qe-01 ~]# ipa-pkinit-manage --verbose enable ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipapython.admintool: DEBUG: Not logging to a file ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140508947101264 ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.231') ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.231') ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fcac94db6c8> ipalib.frontend: DEBUG: raw: config_show(version=u'2.231') ipalib.frontend: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.231') ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.231') ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.231') ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.service: DEBUG: Configuring Kerberos KDC (krb5kdc) Configuring Kerberos KDC (krb5kdc) ipaserver.install.service: DEBUG: [1/1]: installing X509 Certificate for PKINIT [1/1]: installing X509 Certificate for PKINIT ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipalib.install.certmonger: DEBUG: Cert request 20190515100659 was successful ipaserver.install.service: DEBUG: service KDC has all config values set ipaserver.install.service: DEBUG: duration: 5 seconds ipaserver.install.service: DEBUG: Done configuring Kerberos KDC (krb5kdc). Done configuring Kerberos KDC (krb5kdc). ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/bin/systemctl restart krb5kdc.service ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/bin/systemctl is-active krb5kdc.service ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=active ipapython.ipautil: DEBUG: stderr= ipaplatform.base.services: DEBUG: Restart of krb5kdc.service complete ipaserver.install.service: DEBUG: service KDC: config string pkinitEnabled already set ipaserver.install.service: DEBUG: service KDC has already enabled config values ['pkinitEnabled'] ipalib.backend: DEBUG: Destroyed connection context.ldap2_140508947101264 ipapython.admintool: INFO: The ipa-pkinit-manage command was successful [root@idm-qe-01 ~]# ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20190515100056': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-05-15 10:00:56 UTC dns: master.testrelm.test principal name: ldap/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST track: yes auto-renew: yes Request ID '20190515100128': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-05-15 10:01:29 UTC dns: master.testrelm.test principal name: HTTP/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190515100659': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-05-15 10:06:59 UTC principal name: krbtgt/TESTRELM.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes [root@idm-qe-01 ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful [root@idm-qe-01 ~]# Based on above observations marking bugzilla as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241 |