Bug 1636490

Summary: Installation of CA using an existing CA fails [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: cpelland, edewata, mharmsen, msauton, rpattath, salmy
Target Milestone: rcKeywords: Regression, TestBlocker, TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-7.el7_6 Doc Type: Bug Fix
Doc Text:
Previously, the default value of the pki_ca_signing_cert_path parameter was set to a predefined path. Due to a recent change in the way the pkispawn utility validates the parameter when an administrator used a PKCS #12 file to install a certificate authority (CA), the installation failed with an "Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert" error. This update fixes the problem by removing the default value of pki_ca_signing_cert_path. As a result, the CA installation succeeds in the mentioned scenario.
 Story Points: ---
Clone Of: 1633761 Environment:
Last Closed: 2019-01-29 17:21:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1633761    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-10-05 14:00:43 UTC 
This bug has been copied from bug #1633761 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 4 Matthew Harmsen 2018-10-05 15:10:44 UTC 
Endi Sukma Dewata 2018-10-02 17:22:29 EDT

Thanks, Roshni!

Fixed in 10.5 branch:
* https://github.com/dogtagpki/pki/commit/a4f5b17ee96adf79391f9def6e04bb239a779cbe
Comment 5 Matthew Harmsen 2018-10-05 15:19:30 UTC 
Test Procedure:
* Follow steps in http://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_Existing_Certificates_using_PKCS12_File
Comment 7 Roshni 2018-11-14 17:54:45 UTC 
[root@auto-hv-01-guest08 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.9
Release     : 7.el7_6
Architecture: noarch
Install Date: Wed 14 Nov 2018 10:52:02 AM EST
Group       : System Environment/Daemons
Size        : 2449878
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.5.9-7.el7_6.src.rpm
Build Date  : Wed 31 Oct 2018 12:47:31 AM EDT
Build Host  : ppc-016.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Unable to reproduce the issue in https://bugzilla.redhat.com/show_bug.cgi?id=1633761#c0
Comment 13 errata-xmlrpc 2019-01-29 17:21:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0168