Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1622184

Summary: ipa-cacert-manage renew --external-ca is failing
Product: Red Hat Enterprise Linux 7 Reporter: Rob Crittenden <rcritten>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: frenaud, ipa-maint, ipa-qe, myusuf, nalin, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.78.4-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1621192 Environment:
Last Closed: 2018-10-30 07:44:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1621192    
Bug Blocks:    

Description Rob Crittenden 2018-08-24 16:04:36 UTC 
+++ This bug was initially created as a clone of Bug #1621192 +++

Description of problem:
ipa-cacert-manage renew --external-ca is failing

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-6.el7.x86_64

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

How reproducible:
always

Steps to Reproduce:
1. install ipa-master with self-signed CA
2. run $ ipa-cacert-manage renew --external-ca


Actual results:

[root@master ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
org.fedorahosted.certmonger.request.bad_arg: Unrecognized parameter or wrong value type.
The ipa-cacert-manage command failed.

Expected results:
command should pass and csr should be generated

Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-08-23 10:10:55 EDT ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Mohammad Rizwan on 2018-08-23 10:12:25 EDT ---

machine details:

vm-idm-018.lab.eng.pnq.redhat.com 
root/Secret123

--- Additional comment from Mohammad Rizwan on 2018-08-23 12:10:13 EDT ---

works on RHEL7.5

[root@gizmo ~]# rpm -qa | grep ipa-server
ipa-server-4.5.4-10.el7_5.3.x86_64
ipa-server-common-4.5.4-10.el7_5.3.noarch
ipa-server-dns-4.5.4-10.el7_5.3.noarch


[root@gizmo ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful


Hence marking as regression.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-08-23 12:10:21 EDT ---

This bug report has Keywords: Regression or TestBlocker.

Since no regressions or test blockers are allowed between releases, it is also being [proposed|marked] as a blocker for this release.

Please resolve ASAP.

--- Additional comment from Florence Blanc-Renaud on 2018-08-23 14:22:45 EDT ---

I suspect that the issue is linked to certmonger version.
ipa-cacert-manage is internally calling certmonger.modify, which is using the DBus API to communicate with certmonger.

The parameters provided to certmonger contain CA, template-profile and template-ms-certificate-template. I believe that the later one has been introduced only in certmonger 0.79, but the version installed in rhel 7.6 is 0.78.4-9.el7.

Rob, can you check if my assumptions are correct? If it's the case, we need a backport of the patches related to MS cert template in 0.78.

--- Additional comment from Rob Crittenden on 2018-08-24 12:03:20 EDT ---

Confirmed, it is the unexpected template-ms-certificate-template DBus value.
Comment 5 Mohammad Rizwan 2018-08-29 10:29:24 UTC 
version:
certmonger-0.78.4-10.el7.x86_64
ipa-server-4.6.4-6.el7.x86_64


Steps:

Execute:
IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_external_ca.py::TestSelfExternalSelf --logging-level=DEBUG


[..]
test_integration/test_external_ca.py::TestSelfExternalSelf::test_switch_to_external_ca [ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exporting CA certificate signing request, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] GET /var/lib/ipa/ca.csr
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] RUN ['cat', '/var/lib/ipa/ca.csr']
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/root_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] RUN ['tee', '/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/ipa_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] RUN ['tee', '/root/ipatests/ipa_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Importing the renewed CA certificate, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] CA certificate successfully renewed
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] trying https://master.testrelm.test/ipa/json
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] The ipa-certupdate command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Certificate Nickname                                         Trust Attributes
[ipatests.pytest_ipa.integration.host.Host.master.cmd40]                                                              SSL,S/MIME,JAR/XPI
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] ocspSigningCert cert-pki-ca                                  u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] subsystemCert cert-pki-ca                                    u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] CN=example.test                                              C,,  
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] auditSigningCert cert-pki-ca                                 u,u,Pu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Server-Cert cert-pki-ca                                      u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Exit code: 0
PASSED

[..]


Full console logs are provided. Based on above observation, marking the bug as verified.
Comment 8 errata-xmlrpc 2018-10-30 07:44:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3018