Bug 1810149

Summary: ipa-server-certinstall of IPA-issued certificate will fail
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: medium    
Version: ---CC: hgcoin, pasik, pcech, rcritten, sorlov, ssidhaye, tscherf, twoerner
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.0-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:21:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2020-03-04 15:46:56 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/8204

### Issue
changing the freeipa ui apache server cert fails.

ipa-server-certinstall -w -p whatever  --pin=""   /etc/ssl/a.pem.crt   /etc/ssl/private/a.pem.key
fails with

ipapython.ipautil: DEBUG: stderr=
dbus.connection: ERROR: Unable to set arguments ({'template-subject': <Name(O=1.QUIETFOUNTAIN.COM,CN=registry.1.quietfountain.com)>},) according to signature 'a{sv}': <class 'TypeError'>: Don't know which D-Bus type to use to encode type "Name"
ipapython.admintool: DEBUG:   File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 117, in run
    self.replace_http_cert()
  File "/usr/lib/python3/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 173, in replace_http_cert
    certmonger.add_subject(req_id, cert.subject)
  File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py", line 305, in add_subject
    add_request_value(request_id, 'template-subject', subject)
  File "/usr/lib/python3/dist-packages/ipalib/install/certmonger.py", line 284, in add_request_value
    request.obj_if.modify({directive: value})
  File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 147, in __call__
    **keywords)
  File "/usr/lib/python3/dist-packages/dbus/connection.py", line 643, in call_blocking
    message.append(signature=signature, *args)

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: TypeError: Don't know which D-Bus type to use to encode type "Name"
ipapython.admintool: ERROR: Don't know which D-Bus type to use to encode type "Name"
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

#### Steps to Reproduce
See above, 100%

Change
def add_subject(request_id, subject):
    """
    In order for a certmonger request to be renwable it needs the subject
    set in the request file.

    When an existing certificate is added via start-tracking it won't have
    a subject_template set. !!!
    """
-    add_request_value(request_id, 'template-subject', subject)
+    add_request_value(request_id, 'template-subject', str(subject))

and it works.
certmonger/eoan,now 0.79.6-2 amd64 [installed,automatic]

I'm concerned my 'fix' will not result in certmonger actually doing the right thing, but at least the command completes 'normally'.  I'll leave it to the freeipa brain trust from here.
Comment 2 Rob Crittenden 2020-04-01 12:30:02 UTC 
This is seen when replacing a certificate with one issued by IPA.

The call to fix is in ipaserver/install/ipa_server_certinstall.py before the add_subject call.

The typical usage is: subject = str(DN(cert.subject))
Comment 3 Harry Coin 2020-08-30 17:13:08 UTC 
Rob,
Thanks.
This patch corrects the error above.

--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -170,7 +170,7 @@
         if req_id is not None:
             certmonger.add_principal(
                 req_id, 'HTTP/{host}'.format(host=api.env.host))
-            certmonger.add_subject(req_id, cert.subject)
+            certmonger.add_subject(req_id, str(DN(cert.subject)))
 
     def replace_kdc_cert(self):
         # pass in `realm` to perform `NSSDatabase.verify_kdc_cert_validity()`
Comment 5 Rob Crittenden 2021-02-09 16:44:29 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8204
Comment 6 Rob Crittenden 2021-02-09 16:45:57 UTC 
Fixed upstream.

master:
    040d48f ipatests: test ipa_server_certinstall with an IPA-issued cert
    f249c51 Set the certmonger subject with a string, not an object

ipa-4-8:
    099ab6c ipatests: test ipa_server_certinstall with an IPA-issued cert
    2a5a2a0 Set the certmonger subject with a string, not an object
Comment 11 Sergey Orlov 2021-07-02 14:43:47 UTC 
Verified using latest nightly compose with ipa-server-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64

Upstream test suite  test_installation.py is broken in RHEL8.5, thus verifyed by manually executing steps from test_installation.py::TestInstallCA::test_cert_install_with_IPA_issued_cert:

# ipa-server-install -a Secret123 -p Secret123  -n testrelm.test -U -r TESTRELM.TEST
...
The ipa-server-install command was successful


# cp -p /var/lib/ipa/certs/httpd.crt /tmp/
# cp -p /var/lib/ipa/private/httpd.key /tmp/

# export PASSWD="/var/lib/ipa/passwds/`hostname`-443-RSA"
# export PASSWD_STR=`cat $PASSWD`

# ipa-server-certinstall -p Secret123 -w --pin "$PASSWD" /tmp/httpd.crt /tmp/httpd.key
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
# echo $?
0
Comment 13 errata-xmlrpc 2021-11-09 18:21:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230