Bug 1756914
| Summary: | Sub-CA key replication failure [rhel-7.7.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.7 | CC: | frenaud, ftweedal, rcritten, ssidhaye, sumenon, tscherf |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.6.5-11.el7_7.3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1755223 | Environment: | |
| Last Closed: | 2019-10-15 17:48:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1755223 | ||
| Bug Blocks: | |||
|
Description
RAD team bot copy to z-stream
2019-09-30 08:14:57 UTC
Fix is seen. Verified on RHEL7.7
[root@master]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)
[root@master]# rpm -q ipa-server 389-ds-base krb5-server selinux-policy
ipa-server-4.6.5-11.el7_7.3.x86_64
389-ds-base-1.3.9.1-10.el7.x86_64
krb5-server-1.15.1-37.el7_7.2.x86_64
selinux-policy-3.13.1-252.el7.1.noarch
1. certutil -d . -L before setting up sub-ca on master.
[root@master alias]# hostname
master.rhel77.test
[root@master alias]# pwd
/etc/pki/pki-tomcat/alias
[root@master alias]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
2. Setting up replica with setup ca
[root@replica ~]# ipa-replica-install --setup-ca -w Secret123 -n rhel77.test --server=master.rhel77.test -r RHEL77.TEST --hostname replica.rhel77.test
Done.
Finalize replication settings
Restarting the KDC
3. check replica-manage list
[root@master alias]# ipa-replica-manage list
replica.rhel77.test: master
master.rhel77.test: master
4. Setting up sub-ca in ipa master and checking certutil output.
[root@master alias]# ipa ca-add
Name: subca
Subject DN: CN=subca
------------------
Created CA "subca"
------------------
Name: subca
Authority ID: cff68fa5-05a8-4d72-8f22-dff1f29135fd
Subject DN: CN=subca
Issuer DN: CN=Certificate Authority,O=RHEL77.TEST
Certificate: MIIDZTCCAk2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSSEVMNzcuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTAwMzEyMjAxM1oXDTM5MTAwMzEyMjAxM1owEDEOMAwGA1UEAwwFc3ViY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT3HxxuUAOPDRAqD1GNOYuwLD4cibSLxSzaDk7/OHJvyfThyPIq+nzy/+LXV+/oye10kT6NVGvBJ4XBBkhSSrbdKnfze3aV+sjJADsYBdpGpnhnV0PYb8MlJoEDcd/JzGY5TWzVi8RHRFJgQRvke+pI/b7rPap4I3z9EEZiZ3ihz+e960Apnk6LuJNwa9ENVD199c/xuPtR33W8H7U+XyZ6x4v8z5Y6QkybWqCx1xM27N5hZjIh+m69uc16PieyqSVv7Z4rZmW2fnWJvXdsmJuyRfi+36yzX16AUr2AU5MVda/Xn4amuzU7O1DAn/bOt+0i3CIVb8o3AUUKXN24oXBAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUj6/BrJBv2Hc4HpG7I0D3GkHrlokwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMwnDJR5ZtNrNvPjuQSlmeA3Q2DnMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5yaGVsNzcudGVzdC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQApOHwSLCsf5nnqOjqU55bpcYIGeXM5jpV3GQyaO+mgoL66tGFr4K6NzYTGY5QP/VphwcHM9ebhK/rtdOkyQ1DClU5zDTj23J//jVFn6wWlax7EYojcMtb4RAg/QgVc+Tsa+Ttll1052k+zjmdzsyUJ0WFL2mEDaUVL30UbBw3fgk7CfZhvwxsu0OxeosGNj7y+Mz/4rkpSSSd/PUv7MdPrqHIfPd/QDFzyuFNi4OyY4SG0XvqStrX1agOepf5s+tOCC2dbY/CmAUQViC5QfJ8GwblAdAERmSGMpd/YWRKu2M8W7MpTEsOZqkDckxYY0/hUrZxohn9azloysV12o5Zd
[root@master alias]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca cff68fa5-05a8-4d72-8f22-dff1f29135fd u,u,u
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
5. Checking the entry in replica
[root@replica ~]# cd /etc/pki/pki-tomcat/alias/
[root@replica alias]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca cff68fa5-05a8-4d72-8f22-dff1f29135fd u,u,u
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3070 |