Bug 1633761

Summary: Installation of CA using an existing CA fails
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: cpelland, edewata, mharmsen, msauton, prisingh, rpattath, salmy
Target Milestone: rcKeywords: Regression, TestBlocker, TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.16-2.el7 Doc Type: Bug Fix
Doc Text:
.Certificate System CA installations succeed when using a PKCS #12 file Previously, the default value of the `pki_ca_signing_cert_path` parameter was set to a predefined path. Due to a recent change in the way the `pkispawn` utility validates the parameter when an administrator used a PKCS #12 file to install a certificate authority (CA), the installation failed with an `Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert` error. This update fixes the problem by removing the default value of `pki_ca_signing_cert_path`. As a result, the CA installation succeeds in the mentioned scenario.
 Story Points: ---
Clone Of:
: 1636490 (view as bug list) Environment:
Last Closed: 2019-08-06 13:07:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1636490    

Description Roshni 2018-09-27 16:54:32 UTC 
Description of problem:
Installation of CA using an existing CA fails

Version-Release number of selected component (if applicable):
pki-ca-10.5.9-6.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Following steps in http://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_Existing_Certificates_using_PKCS12_File
2. Installation file used

[root@auto-hv-01-guest05 ~]# cat ca.inf 
[DEFAULT]
pki_instance_name=pki-tomcat
pki_admin_password=SECret.123
pki_client_pkcs12_password=SECret.123
pki_ds_password=SECret.123
pki_ds_ldap_port=389
pki_existing=True

[CA]
pki_ca_signing_nickname=caSigningCert cert-topology-CA CA
pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=test.crt
pki_ocsp_signing_nickname=ocspSigningCert cert-topology-CA CA
pki_ocsp_signing_csr_path=ca_ocsp_signing.csr

pki_audit_signing_nickname=auditSigningCert cert-topology-CA CA
pki_audit_signing_csr_path=ca_audit_signing.csr

pki_subsystem_nickname=subsystemCert cert-topology-CA
pki_subsystem_csr_path=subsystem.csr

pki_sslserver_nickname=Server-Cert cert-topology-CA
pki_sslserver_csr_path=sslserver.csr
pki_pkcs12_path=ca.p12
pki_pkcs12_password=Secret.123
#pki_ds_base_dn=dc=auto-hv-01-guest08.idmqe.lab.eng.bos.redhat.com-pki-ca
#pki_ds_database=auto-hv-01-guest08.idmqe.lab.eng.bos.redhat.com-pki-ca
pki_serial_number_range_start=20
pki_request_number_range_start=80
#pki_master_crl_enable=False

3.

Actual results:
[root@auto-hv-01-guest05 ~]# pkispawn -s CA -f ca.inf
Log file: /var/log/pki/pki-ca-spawn.20180927121920.log
Loading deployment configuration from ca.inf.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
 
Installation failed: Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert

Expected results:


Additional info:
https://pagure.io/dogtagpki/issue/3040
Comment 4 Roshni 2018-10-02 20:21:00 UTC 
The build looks good Endi.
Comment 5 Endi Sukma Dewata 2018-10-02 21:22:29 UTC 
Thanks, Roshni!

Fixed in 10.5 branch:
* https://github.com/dogtagpki/pki/commit/a4f5b17ee96adf79391f9def6e04bb239a779cbe
Comment 13 Pritam Singh 2019-06-13 14:15:49 UTC 
PKI Version:
[root@ipaqavme ~]# rpm -qa | grep pki-*
pki-base-10.5.16-2.el7.noarch
pki-base-java-10.5.16-2.el7.noarch
pki-server-10.5.16-2.el7.noarch
pki-ca-10.5.16-2.el7.noarch
pki-tools-10.5.16-2.el7.x86_64
pki-kra-10.5.16-2.el7.noarch

Step of reproduction:

https://bugzilla.redhat.com/show_bug.cgi?id=1633761#c0
http://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_Existing_Certificates_using_PKCS12_File

Proof of concept:

Please find the attached file.

Hence, Marking this bugzilla as verified.
Comment 15 errata-xmlrpc 2019-08-06 13:07:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228