Bug 1542737

Summary: Incorrect certs are being updated with "ipa-certupdate"
Product: Red Hat Enterprise Linux 8 Reporter: aheverle
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: abokovoy, gparente, mrhodes, pasik, pvoborni, rcritten, ssidhaye, sumenon, tscherf
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.9.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:47:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aheverle 2018-02-06 22:23:48 UTC 
Description of problem:
Noticed there were a expired internal and external CA certs in the NSS DBs.

After manually removing old certs from the NSS DB, they are being re-added after running the "ipa-certupdate" command.

How reproducible:
Every time

Steps to Reproduce:

Exported the ASCII format of the certs in the databases below.

 - /etc/httpd/alias
 - /etc/dirsrv/slapd-<instance name>
 - /etc/ipa/nssdb
 - /var/lib/pki/pki-tomcat/alias

Next, we found/verified the correct cert blob using the openssl command.

Then, we deleted the certs out of the NSS DBs and imported the correct certs in the databases below.

 - /etc/httpd/alias
 - /etc/dirsrv/slapd-<instance name>
 - /etc/ipa/nssdb
 - /var/lib/pki/pki-tomcat/alias

When we ran "ipa-certupdate" all of the expired certs were added back to the NSS DBs.

After deleting the  we deleted the expired certs from "cn=certificates,cn=ipa,cn=etc,SUFFIX", we were able to run "ipa-certupdate" successfully.

The expired certs were not added back to the NSS DBs.
Comment 3 Marco Rhodes 2018-02-06 23:25:54 UTC 
(In reply to aheverle from comment #2)
> From talking with Marco Rhodes, "ipa-certupdate" is supposed to pull the
> valid cert from ldap

To clarify - the valid cert *and* whatever other cert(s) is/are under cn=certificates,cn=ipa,cn=etc,$BASEDN. To that end, I also indicated that the non-desired certs would have to be deleted from both LDAP and the NSS databases before ipa-certupdate would deliver the desired results, which was the case here. 

So, while the tool is working as designed, it may be good for it to be extended to also be able to optionally remove undesired certs from LDAP, requisite file system locations and NSS DBs.
Comment 4 Rob Crittenden 2018-02-12 16:30:20 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7404
Comment 10 Rob Crittenden 2021-02-03 14:24:27 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8124
Comment 18 errata-xmlrpc 2021-05-18 15:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846