Bug 1621192

Summary: ipa-cacert-manage renew --external-ca is failing
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: frenaud, ndehadra, nsoman, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1622184 (view as bug list) Environment:
Last Closed: 2020-06-22 12:41:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1622184    

Description Mohammad Rizwan 2018-08-23 14:10:46 UTC 
Description of problem:
ipa-cacert-manage renew --external-ca is failing

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-6.el7.x86_64

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

How reproducible:
always

Steps to Reproduce:
1. install ipa-master with self-signed CA
2. run $ ipa-cacert-manage renew --external-ca


Actual results:

[root@master ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
org.fedorahosted.certmonger.request.bad_arg: Unrecognized parameter or wrong value type.
The ipa-cacert-manage command failed.

Expected results:
command should pass and csr should be generated

Additional info:
Comment 5 Florence Blanc-Renaud 2018-08-23 18:22:45 UTC 
I suspect that the issue is linked to certmonger version.
ipa-cacert-manage is internally calling certmonger.modify, which is using the DBus API to communicate with certmonger.

The parameters provided to certmonger contain CA, template-profile and template-ms-certificate-template. I believe that the later one has been introduced only in certmonger 0.79, but the version installed in rhel 7.6 is 0.78.4-9.el7.

Rob, can you check if my assumptions are correct? If it's the case, we need a backport of the patches related to MS cert template in 0.78.
Comment 6 Rob Crittenden 2018-08-24 16:03:20 UTC 
Confirmed, it is the unexpected template-ms-certificate-template DBus value.
Comment 8 Rob Crittenden 2018-08-28 13:04:33 UTC 
Fixed in certmonger-0.78.4-10.el7
Comment 9 Mohammad Rizwan 2018-08-29 10:32:57 UTC 
version:
certmonger-0.78.4-10.el7.x86_64
ipa-server-4.6.4-6.el7.x86_64


Steps:

Execute:
IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_external_ca.py::TestSelfExternalSelf --logging-level=DEBUG


[..]
test_integration/test_external_ca.py::TestSelfExternalSelf::test_switch_to_external_ca [ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exporting CA certificate signing request, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] GET /var/lib/ipa/ca.csr
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] RUN ['cat', '/var/lib/ipa/ca.csr']
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/root_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] RUN ['tee', '/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/ipa_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] RUN ['tee', '/root/ipatests/ipa_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Importing the renewed CA certificate, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] CA certificate successfully renewed
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] trying https://master.testrelm.test/ipa/json
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] The ipa-certupdate command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Certificate Nickname                                         Trust Attributes
[ipatests.pytest_ipa.integration.host.Host.master.cmd40]                                                              SSL,S/MIME,JAR/XPI
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] ocspSigningCert cert-pki-ca                                  u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] subsystemCert cert-pki-ca                                    u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] CN=example.test                                              C,,  
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] auditSigningCert cert-pki-ca                                 u,u,Pu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Server-Cert cert-pki-ca                                      u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Exit code: 0
PASSED

[..]


Failure is not observed.
Comment 10 Namita Soman 2018-09-04 17:37:36 UTC 
Marking this verified - as noted above. The fix is included in bz1622184