Bug 1659511
Summary: | ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. [rhel-7.6.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | frenaud, jreznik, myusuf, pvoborni, rcritten, tscherf |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.4-10.el7_6.2 | Doc Type: | Bug Fix |
Doc Text: |
Cause: The PKINIT feature requires a certificate signed by IPA CA. When enabling the feature, the step replacing the self-signed certificate with a certificate signed by IPA CA fails but goes undetected because the certificate file is already present on the filesystem.
Consequence: The command 'ipa-pkinit-manage enable' reports that it succeeded but the PKINIT feature is not properly configured.
Fix: The command now ensures that the certificate file is removed, ensuring that a new CA-signed certificate will be issued.
Result: ipa-pkinit-manage enable now successfully configures PKINIT.
|
Story Points: | --- |
Clone Of: | 1493541 | Environment: | |
Last Closed: | 2019-01-29 17:24:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1493541 | ||
Bug Blocks: |
Description
RAD team bot copy to z-stream
2018-12-14 14:48:31 UTC
version: ipa-server-4.6.4-10.el7_6.2.x86_64 ipa-server-dns-4.6.4-10.el7_6.2.noarch Steps: 1. Install master with --no-pkinit option 2. check certs tracked by ipa CA $ ipa-getcert list 3. check pkinit status $ ipa-pkinit-manage status 4. enable pkinit and see if CSR generated $ ipa-pkinit-manage --verbose enable 5. check certs tracked by ipa CA $ ipa-getcert list 6. check pkinit status $ ipa-pkinit-manage status Actual results: [root@master ~]# ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful [root@master ~]# 2 certs tracked by IPA CA: [root@master ~]# ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20190117065534': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-01-17 06:55:35 UTC dns: master.testrelm.test principal name: ldap/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST track: yes auto-renew: yes Request ID '20190117065610': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-01-17 06:56:10 UTC dns: master.testrelm.test principal name: HTTP/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes [root@master ~]# [root@master ~]# ipa-pkinit-manage --verbose enable ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipapython.admintool: DEBUG: Not logging to a file ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140411884189328 ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.230') ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.230') ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fb42fead758> ipalib.frontend: DEBUG: raw: config_show(version=u'2.230') ipalib.frontend: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.230') ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.230') ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.230') ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.service: DEBUG: Configuring Kerberos KDC (krb5kdc) Configuring Kerberos KDC (krb5kdc) ipaserver.install.service: DEBUG: [1/1]: installing X509 Certificate for PKINIT [1/1]: installing X509 Certificate for PKINIT ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1) ipalib.install.certmonger: DEBUG: Cert request 20190117071422 was successful ipaserver.install.service: DEBUG: service KDC has all config values set ipaserver.install.service: DEBUG: duration: 5 seconds ipaserver.install.service: DEBUG: Done configuring Kerberos KDC (krb5kdc). Done configuring Kerberos KDC (krb5kdc). ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/bin/systemctl restart krb5kdc.service ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/bin/systemctl is-active krb5kdc.service ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=active ipapython.ipautil: DEBUG: stderr= ipaplatform.base.services: DEBUG: Restart of krb5kdc.service complete ipaserver.install.service: DEBUG: service KDC: config string pkinitEnabled already set ipaserver.install.service: DEBUG: service KDC has already enabled config values ['pkinitEnabled'] ipalib.backend: DEBUG: Destroyed connection context.ldap2_140411884189328 ipapython.admintool: INFO: The ipa-pkinit-manage command was successful [root@master ~]# [root@master ~]# ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20190117065534': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-01-17 06:55:35 UTC dns: master.testrelm.test principal name: ldap/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST track: yes auto-renew: yes Request ID '20190117065610': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-01-17 06:56:10 UTC dns: master.testrelm.test principal name: HTTP/master.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190117071422': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' <<<< CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=master.testrelm.test,O=TESTRELM.TEST expires: 2021-01-17 07:14:22 UTC principal name: krbtgt/TESTRELM.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc <<<< pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes [root@master ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful Thus based on above observations, marking the bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0190 |