Bug 1851835

Summary: [RFE] IdM short-term certificates ACME provider
Product: Red Hat Enterprise Linux 8 Reporter: Petr Čech <pcech>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.3CC: frenaud, jvilicic, ksiddiqu, mpolovka, myusuf, ndehadra, pasik, pmendezh, pvoborni, rcritten, ssidhaye, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.9.0-0.1.rc1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1902727    
Bug Blocks: 1894575    

Comment 2 Rob Crittenden 2020-07-09 16:04:41 UTC 
Documentation available at:

https://frasertweedale.github.io/blog-redhat/posts/2020-05-06-ipa-acme-intro.html
https://frasertweedale.github.io/blog-redhat/posts/2020-05-07-ipa-acme-mod_md.html
https://frasertweedale.github.io/blog-redhat/posts/2020-05-13-ipa-acme-dns.html
Comment 3 Rob Crittenden 2020-07-10 12:35:28 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/2b6faa362f3ee2a63e3597f8734867d8e9d4df7d
https://pagure.io/freeipa/c/dd301a453521a177d9f34df25d3e6d203c9507ea
https://pagure.io/freeipa/c/5883cff0b7b62da3fcb3dfb7920a9f993cbcb568
https://pagure.io/freeipa/c/a21823da7fcce521838764df5280295ccbdb8157
https://pagure.io/freeipa/c/b3565290fefb6e14583b50d3c411a8861a4fa844
https://pagure.io/freeipa/c/c309d4a4d0c19df80808b2ce9352ce2af2a30a3c
https://pagure.io/freeipa/c/3c8352f9a7f977bc994e4b5b558fb3c7db20f40e
https://pagure.io/freeipa/c/d15000bed6bc5262a80aadeb5f85a476ed44799f
https://pagure.io/freeipa/c/00a84464eae31150714f667df67774ebe34b8514
https://pagure.io/freeipa/c/083c6aedc6d8046c19f637ec34723812f292a0e9
https://pagure.io/freeipa/c/7b00035764197c0aff0c7d2de638dc174abacf9f
https://pagure.io/freeipa/c/ab7226dcef8c8390fc9a1e939680ba9f4f5121bd
https://pagure.io/freeipa/c/bb6d84903967bc6176d8a0817b602ba314129417
https://pagure.io/freeipa/c/85d0272053dbafab19c1f98cacc5ce6e1a828667
https://pagure.io/freeipa/c/f9f3b3b118ccb0c4052d15387d128886ec293463
https://pagure.io/freeipa/c/e976dde8e1429ee023a76ddbe0e6b16a495a1ef2
https://pagure.io/freeipa/c/a83eaa8b6da8e5937a7f42a90310f69b8f66e6d4
https://pagure.io/freeipa/c/678b8e682b37daa5217c0098cd6ce42c324b3955
https://pagure.io/freeipa/c/525b946b75760a1ef90e1aae8e5052124fb0075c
https://pagure.io/freeipa/c/1f720560273e16ca6c5e646a1f4bf0a7ec354aa5
Comment 5 Rob Crittenden 2020-11-02 15:45:40 UTC 
Add support for global configuration and more integration tests

Fixed upstream
master:
https://pagure.io/freeipa/c/2ef53196c6a012ad7d02aed5672d69fbcb5d0a4e
https://pagure.io/freeipa/c/e13d058a066bdbd8a81b794b6f18ca8eca1f31c8
https://pagure.io/freeipa/c/c0d55ce6de5e41a98b1e37e23e8bdb339e772c0f
https://pagure.io/freeipa/c/92c3ea4e293a4fca58269265b7fbf511024dab59
https://pagure.io/freeipa/c/69ae48c8b614a23f530ec6ed33c9019e0b491e50
https://pagure.io/freeipa/c/e7fd791579eca8b7a1c30b4f17bfac7c4fafe2a7
https://pagure.io/freeipa/c/d4ef64b229541200564131e927cd0b4b32662fe2
Comment 6 Rob Crittenden 2020-11-02 19:02:07 UTC 
Require a SAN for ipa-ca when installing 3rd party certificates.

Fixed upstream
master:
https://pagure.io/freeipa/c/2768b0dbaf0e07bc632a4867b13ef4c5ac875372
https://pagure.io/freeipa/c/e0ff82c884356a6c9fcd0fef66580de30ec5af87
https://pagure.io/freeipa/c/c8f13cd85503f2713c616eccfd7c37e52792c7ef
Comment 7 Rob Crittenden 2020-11-12 20:15:14 UTC 
Tests for External-CA scenarios for ACME service

Fixed upstream
master:
https://pagure.io/freeipa/c/9dccf17a6c6ce023661a33fdb1f65314ef6a053f
https://pagure.io/freeipa/c/cbbfcd9b1e9bbcce864957423085d362e6d44c72
https://pagure.io/freeipa/c/c4a6b0e5662f539b8438cdbc593eb713ea8c6da2
Comment 11 Florence Blanc-Renaud 2020-12-01 12:00:01 UTC 
Additional commit bumping the Requires for pki-server:

Fixed upstream
master:
https://pagure.io/freeipa/c/6816de0892a11c203f1a2e6f7819d533c7658fa9
Comment 12 Rob Crittenden 2020-12-01 18:08:28 UTC 
Additional commit bumping the Requires for pki-server:

Fixed upstream
ipa-4-9:

3e530e93c37ee71a560714e26285cd85e71557c9
Comment 19 Sumedh Sidhaye 2020-12-17 11:42:41 UTC 
Builds used for verification:

ipa-client-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
ipa-client-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-selinux-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
ipa-server-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-dns-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-trust-ad-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64

test_integration/test_acme.py::TestACME::test_kinit_master PASSED        [  3%]
test_integration/test_acme.py::TestACME::test_acme_service_not_yet_enabled PASSED [  7%]
test_integration/test_acme.py::TestACME::test_enable_acme_service PASSED [ 11%]
test_integration/test_acme.py::TestACME::test_centralize_acme_enable PASSED [ 15%]
test_integration/test_acme.py::TestACME::test_certbot_register SKIPPED   [ 19%]
test_integration/test_acme.py::TestACME::test_certbot_certonly_standalone SKIPPED [ 23%]
test_integration/test_acme.py::TestACME::test_certbot_revoke SKIPPED     [ 26%]
test_integration/test_acme.py::TestACME::test_certbot_dns SKIPPED        [ 30%]
test_integration/test_acme.py::TestACME::test_mod_md SKIPPED             [ 34%]
test_integration/test_acme.py::TestACME::test_disable_acme_service PASSED [ 38%]
test_integration/test_acme.py::TestACME::test_centralize_acme_disable PASSED [ 42%]
test_integration/test_acme.py::TestACME::test_third_party_certs PASSED   [ 46%]
test_integration/test_acme.py::TestACMECALess::test_caless_to_cafull_replica PASSED [ 50%]
test_integration/test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica PASSED [ 53%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_kinit_master PASSED [ 57%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_acme_service_not_yet_enabled PASSED [ 61%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_enable_acme_service PASSED [ 65%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_centralize_acme_enable PASSED [ 69%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_register SKIPPED [ 73%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_certonly_standalone SKIPPED [ 76%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_revoke SKIPPED [ 80%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_dns SKIPPED [ 84%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_mod_md SKIPPED [ 88%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_disable_acme_service PASSED [ 92%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_centralize_acme_disable PASSED [ 96%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_third_party_certs PASSED [100%]
Comment 21 Josip Vilicic 2021-01-29 15:02:22 UTC 
Hello Kaleem,

1) This bug has automatically generated the following Documentation JIRA ticket:

   "RHELPLAN-47725 - [RFE] IdM short-term certificates ACME provider"
   https://issues.redhat.com/browse/RHELPLAN-47725


2) The documentation team has previously created 2 tickets that I think correspond to the 2 items from this bug's description:

   a) Service automatically acquire a certificates

         RHELPLAN-43501 - [DOC][ACME] Service automatically acquires a certificate
         https://issues.redhat.com/browse/RHELPLAN-43501

      But we closed that general ticket because we created multiple tickets for specific ACME features/functionality:

         RHELPLAN-58595 - Deploy ACME service on upgrade -- https://issues.redhat.com/browse/RHELPLAN-58595
         RHELPLAN-58596 - Support ACME protocol -- https://issues.redhat.com/browse/RHELPLAN-58596
         RHELPLAN-58599 - Deploy ACME service on CA installation -- https://issues.redhat.com/browse/RHELPLAN-58599
         RHELPLAN-58601 - FreeIPA commands to enable/disable ACME service -- https://issues.redhat.com/browse/RHELPLAN-58601
         RHELPLAN-58613 - Add FreeIPA ACME certificate profile -- https://issues.redhat.com/browse/RHELPLAN-58613


   b) Deploy & manage the ACME service topology wide from a single system

         RHELPLAN-58598 - [DOC][ACME] Deploy & manage the ACME service topology wide from a single system
         https://issues.redhat.com/browse/RHELPLAN-58598


Could you please let us know if we've missed anything?
Comment 22 Kaleem 2021-02-02 12:04:36 UTC 
Hi Jo,

I missed looking at doc jira ticket.
Should not we set the doc flag/field for this? Doc Text, require_doc_text?
Comment 24 Florence Blanc-Renaud 2021-04-30 09:05:21 UTC 
Test added upstream: ipatests/test_integration/test_acme.py::TestACMECARenew
master:
https://pagure.io/freeipa/c/d2ca7915498cd1bdf5483af4b155296766f6e718
Comment 25 Rob Crittenden 2021-05-06 19:42:21 UTC 
Test added upstream:
ipa-4-9:
https://pagure.io/freeipa/c/a7ff4089437ee20bbce7fc55d43a7702dd7540a7
Comment 27 errata-xmlrpc 2021-05-18 15:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846