Bug 1622184

Summary: ipa-cacert-manage renew --external-ca is failing
Product: Red Hat Enterprise Linux 7 Reporter: Rob Crittenden <rcritten>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: frenaud, ipa-maint, ipa-qe, myusuf, nalin, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.78.4-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1621192 Environment:
Last Closed: 2018-10-30 07:44:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1621192    
Bug Blocks:    

Description Rob Crittenden 2018-08-24 16:04:36 UTC 
+++ This bug was initially created as a clone of Bug #1621192 +++

Description of problem:
ipa-cacert-manage renew --external-ca is failing

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-6.el7.x86_64

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

How reproducible:
always

Steps to Reproduce:
1. install ipa-master with self-signed CA
2. run $ ipa-cacert-manage renew --external-ca


Actual results:

[root@master ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
org.fedorahosted.certmonger.request.bad_arg: Unrecognized parameter or wrong value type.
The ipa-cacert-manage command failed.

Expected results:
command should pass and csr should be generated

Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-08-23 10:10:55 EDT ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Mohammad Rizwan on 2018-08-23 10:12:25 EDT ---

machine details:

vm-idm-018.lab.eng.pnq.redhat.com 
root/Secret123

--- Additional comment from Mohammad Rizwan on 2018-08-23 12:10:13 EDT ---

works on RHEL7.5

[root@gizmo ~]# rpm -qa | grep ipa-server
ipa-server-4.5.4-10.el7_5.3.x86_64
ipa-server-common-4.5.4-10.el7_5.3.noarch
ipa-server-dns-4.5.4-10.el7_5.3.noarch


[root@gizmo ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful


Hence marking as regression.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-08-23 12:10:21 EDT ---

This bug report has Keywords: Regression or TestBlocker.

Since no regressions or test blockers are allowed between releases, it is also being [proposed|marked] as a blocker for this release.

Please resolve ASAP.

--- Additional comment from Florence Blanc-Renaud on 2018-08-23 14:22:45 EDT ---

I suspect that the issue is linked to certmonger version.
ipa-cacert-manage is internally calling certmonger.modify, which is using the DBus API to communicate with certmonger.

The parameters provided to certmonger contain CA, template-profile and template-ms-certificate-template. I believe that the later one has been introduced only in certmonger 0.79, but the version installed in rhel 7.6 is 0.78.4-9.el7.

Rob, can you check if my assumptions are correct? If it's the case, we need a backport of the patches related to MS cert template in 0.78.

--- Additional comment from Rob Crittenden on 2018-08-24 12:03:20 EDT ---

Confirmed, it is the unexpected template-ms-certificate-template DBus value.
Comment 5 Mohammad Rizwan 2018-08-29 10:29:24 UTC 
version:
certmonger-0.78.4-10.el7.x86_64
ipa-server-4.6.4-6.el7.x86_64


Steps:

Execute:
IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_external_ca.py::TestSelfExternalSelf --logging-level=DEBUG


[..]
test_integration/test_external_ca.py::TestSelfExternalSelf::test_switch_to_external_ca [ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exporting CA certificate signing request, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] GET /var/lib/ipa/ca.csr
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] RUN ['cat', '/var/lib/ipa/ca.csr']
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/root_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] RUN ['tee', '/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/ipa_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] RUN ['tee', '/root/ipatests/ipa_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Importing the renewed CA certificate, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] CA certificate successfully renewed
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] trying https://master.testrelm.test/ipa/json
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] The ipa-certupdate command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Certificate Nickname                                         Trust Attributes
[ipatests.pytest_ipa.integration.host.Host.master.cmd40]                                                              SSL,S/MIME,JAR/XPI
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] ocspSigningCert cert-pki-ca                                  u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] subsystemCert cert-pki-ca                                    u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] CN=example.test                                              C,,  
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] auditSigningCert cert-pki-ca                                 u,u,Pu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Server-Cert cert-pki-ca                                      u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Exit code: 0
PASSED

[..]


Full console logs are provided. Based on above observation, marking the bug as verified.
Comment 8 errata-xmlrpc 2018-10-30 07:44:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3018