Bug 1659511

Summary: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: frenaud, jreznik, myusuf, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.4-10.el7_6.2 Doc Type: Bug Fix
Doc Text:
Cause: The PKINIT feature requires a certificate signed by IPA CA. When enabling the feature, the step replacing the self-signed certificate with a certificate signed by IPA CA fails but goes undetected because the certificate file is already present on the filesystem. Consequence: The command 'ipa-pkinit-manage enable' reports that it succeeded but the PKINIT feature is not properly configured. Fix: The command now ensures that the certificate file is removed, ensuring that a new CA-signed certificate will be issued. Result: ipa-pkinit-manage enable now successfully configures PKINIT.
 Story Points: ---
Clone Of: 1493541 Environment:
Last Closed: 2019-01-29 17:24:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1493541    
Bug Blocks:    

Description RAD team bot copy to z-stream 2018-12-14 14:48:31 UTC 
This bug has been copied from bug #1493541 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 3 Mohammad Rizwan 2019-01-17 07:33:57 UTC 
version:
ipa-server-4.6.4-10.el7_6.2.x86_64
ipa-server-dns-4.6.4-10.el7_6.2.noarch

Steps:
1. Install master with --no-pkinit option

2. check certs tracked by ipa CA
    $ ipa-getcert list 

3. check pkinit status
    $ ipa-pkinit-manage status

4. enable pkinit and see if CSR generated
    $ ipa-pkinit-manage --verbose enable

5. check certs tracked by ipa CA
    $ ipa-getcert list

6. check pkinit status
    $  ipa-pkinit-manage status

Actual results:

[root@master ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@master ~]# 

2 certs tracked by IPA CA:

[root@master ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190117065534':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:55:35 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190117065610':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:56:10 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
[root@master ~]#


[root@master ~]# ipa-pkinit-manage --verbose enable
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_140411884189328
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.230')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.230')
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fb42fead758>
ipalib.frontend: DEBUG: raw: config_show(version=u'2.230')
ipalib.frontend: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.230')
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.230')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.230')
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.service: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipaserver.install.service: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipalib.install.certmonger: DEBUG: Cert request 20190117071422 was successful
ipaserver.install.service: DEBUG: service KDC has all config values set
ipaserver.install.service: DEBUG:   duration: 5 seconds
ipaserver.install.service: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of krb5kdc.service complete
ipaserver.install.service: DEBUG: service KDC: config string pkinitEnabled already set
ipaserver.install.service: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipalib.backend: DEBUG: Destroyed connection context.ldap2_140411884189328
ipapython.admintool: INFO: The ipa-pkinit-manage command was successful
[root@master ~]# 


[root@master ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190117065534':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:55:35 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190117065610':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:56:10 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20190117071422':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'                  
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'                        <<<<
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 07:14:22 UTC
	principal name: krbtgt/TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc                                                   <<<<
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes

[root@master ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful

Thus based on above observations, marking the bug as verified.
Comment 5 errata-xmlrpc 2019-01-29 17:24:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0190