Bug 1732428

Summary: cacert.p12 fails to get imported.
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: cheimes, ksiddiqu, pasik, pcech, pvoborni, rcritten, tscherf, twoerner
Target Milestone: rc   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-27 14:48:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1727835    

Description Christian Heimes 2019-07-23 11:18:48 UTC 
This bug was initially created as a copy of Bug #1727835

I am copying this bug because: 
IPA is going to change the pki config template as workaround.


Description of problem: cacert.p12 fails to get imported.

Version-Release number of selected component (if applicable):
ipa-server-4.8.0-1.module+el8.1.0+3577+202f0a51.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install IPA server. Ensure cacert.p12 file is present
2. Try to import the file using the pki command.

#pki -v -d  /tmp/test -c Secret123 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123

Actual results:
[root@ipa ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 Beta (Ootpa)

[root@ipa test]# pki -v -d  /tmp/test -c Secret123 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
PKI options: -v -d /tmp/test -c Secret123
PKI command: 8080 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Server URL: http://ipa.example.test:8080
NSS database: /tmp/test
Message format: null
Command: client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Module: client
Module: cert-import
Importing certificates from /root/cacert.p12.
External command: /usr/bin/pk12util -d /tmp/test -k /tmp/pki-client-cert-import-4556096729051108750.nssdb-pwd -i /root/cacert.p12 -w /tmp/pki-client-cert-import-1914323035172484393.pkcs12-pwd
java.lang.Exception: Unable to import PKCS #12 file
        at com.netscape.cmstools.client.ClientCertImportCLI.importPKCS12(ClientCertImportCLI.java:490)
        at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:231)
        at org.dogtagpki.cli.CLI.execute(CLI.java:345)
        at org.dogtagpki.cli.CLI.execute(CLI.java:345)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:667)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:703)
Caused by: org.dogtagpki.cli.CLIException: External command failed. RC: 18
        at org.dogtagpki.cli.CLI.runExternal(CLI.java:386)
        at org.dogtagpki.cli.CLI.runExternal(CLI.java:358)
        at com.netscape.cmstools.client.ClientCertImportCLI.importPKCS12(ClientCertImportCLI.java:488)
        ... 5 more
ERROR: Command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123

Expected results: The cacert.p12 file should get imported. It works in RHEL7.7

Additional info: Attaching the logs for reference.
Comment 3 Christian Heimes 2019-09-18 08:06:56 UTC 
Moving to 8.2

In #1727835 Endi recommended to disable pki_backup_keys and suggested to use PKCS12Export to backup the NSSDB after installation instead:

    $ PKCS12Export -d /etc/pki/pki-tomcat/alias -p password.txt -o /root/cacert.p12 -w password.txt
Comment 9 Petr Vobornik 2021-01-27 14:48:56 UTC 
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team