Bug 1869893
| Summary: | Common certificates are missing in CS.cfg on shared PKI instance | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Dinesh Prasanth <dmoluguw> |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
| Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | aakkiang, edewata, ftrivino, ksiddiqu, lmiksik, mharmsen, prisingh, rcritten, sveerank |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.6-8030020200903170610.5ff1562f | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 03:15:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1871188 has been marked as a duplicate of this bug. *** PR: https://github.com/dogtagpki/pki/pull/536 Fixed in master branch (10.10): * https://github.com/dogtagpki/pki/commit/7abe19e5be79ecab51ea4b4e94fb7a7bb01dca1f There is one more PR: https://github.com/dogtagpki/pki/pull/539 Fixed in master branch (10.10): * https://github.com/dogtagpki/pki/commit/e117f897a43b7f2ded0edbb204110357c29da2c0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4847 |
Description of problem: In shared PKI instances, the `subsystem` and `sslserver` certificates are missing in CS.cfg of KRA, OCSP, TKS and TPS subsystems. This seems to be happening ONLY in the recent deployments (New instances deployed after ~Apr 2020). The error was caught by pki-healthcheck tool. ```` Following keys are missing in corresponding CS.cfg: {kra,ocsp,tks,tps}.subsystem.cert= {kra,ocsp,tks,tps}.sslserver.cert= ```` Version-Release number of selected component (if applicable): # rpm -qa | grep pki pki-base-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-symkey-10.9.1-1.module+el8.3.0+7594+3661a26e.x86_64 pki-tps-10.9.1-1.module+el8pki+7595+528e2489.x86_64 python3-pki-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch pki-base-java-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch pki-server-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-kra-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-tks-10.9.1-1.module+el8pki+7595+528e2489.noarch pki-tools-10.9.1-1.module+el8.3.0+7594+3661a26e.x86_64 pki-ca-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-ocsp-10.9.1-1.module+el8pki+7595+528e2489.noarch How reproducible: Always Steps to Reproduce: 1. Install CA, KRA (,OCSP, TKS, TPS) on a shared instance (eg: pki-tomcat) 2. Run `pki-healthcheck` 3. Actual results: # pki-healthcheck --failures-only [ { "source": "pki.server.healthcheck.meta.csconfig", "check": "KRADogtagCertsConfigCheck", "result": "ERROR", "uuid": "f9bca17f-b12c-455c-b23e-f0c04304344d", "when": "20200818215836Z", "duration": "0.104007", "kw": { "key": "kra_sslserver", "nickname": "Server-Cert cert-pki-tomcat", "directive": "kra.sslserver.cert", "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", "msg": "Certificate 'Server-Cert cert-pki-tomcat' does not match the value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "KRADogtagCertsConfigCheck", "result": "ERROR", "uuid": "4d24134c-3d90-40c3-8b24-bdab2583f9fb", "when": "20200818215836Z", "duration": "0.185620", "kw": { "key": "kra_subsystem", "nickname": "subsystemCert cert-pki-tomcat", "directive": "kra.subsystem.cert", "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", "msg": "Certificate 'subsystemCert cert-pki-tomcat' does not match the value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "OCSPDogtagCertsConfigCheck", "result": "ERROR", "uuid": "e865254b-28e2-4458-ad30-5203a44446d1", "when": "20200818215836Z", "duration": "0.104308", "kw": { "key": "ocsp_sslserver", "nickname": "Server-Cert cert-pki-tomcat", "directive": "ocsp.sslserver.cert", "configfile": "/var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg", "msg": "Certificate 'Server-Cert cert-pki-tomcat' does not match the value of ocsp.sslserver.cert in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "OCSPDogtagCertsConfigCheck", "result": "ERROR", "uuid": "a1321228-7f1f-40a1-a070-f43fd7c6a7cf", "when": "20200818215836Z", "duration": "0.185781", "kw": { "key": "ocsp_subsystem", "nickname": "subsystemCert cert-pki-tomcat", "directive": "ocsp.subsystem.cert", "configfile": "/var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg", "msg": "Certificate 'subsystemCert cert-pki-tomcat' does not match the value of ocsp.subsystem.cert in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "TKSDogtagCertsConfigCheck", "result": "ERROR", "uuid": "7bedbe0e-9076-4fd1-a401-50ddbc75c58c", "when": "20200818215837Z", "duration": "0.103956", "kw": { "key": "tks_sslserver", "nickname": "Server-Cert cert-pki-tomcat", "directive": "tks.sslserver.cert", "configfile": "/var/lib/pki/pki-tomcat/tks/conf/CS.cfg", "msg": "Certificate 'Server-Cert cert-pki-tomcat' does not match the value of tks.sslserver.cert in /var/lib/pki/pki-tomcat/tks/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "TKSDogtagCertsConfigCheck", "result": "ERROR", "uuid": "004513ce-d798-423c-aaf3-f377e3757c2e", "when": "20200818215837Z", "duration": "0.185525", "kw": { "key": "tks_subsystem", "nickname": "subsystemCert cert-pki-tomcat", "directive": "tks.subsystem.cert", "configfile": "/var/lib/pki/pki-tomcat/tks/conf/CS.cfg", "msg": "Certificate 'subsystemCert cert-pki-tomcat' does not match the value of tks.subsystem.cert in /var/lib/pki/pki-tomcat/tks/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "TPSDogtagCertsConfigCheck", "result": "ERROR", "uuid": "a0d1e203-8b33-4d28-b7cc-031a3dd88cb2", "when": "20200818215837Z", "duration": "0.104213", "kw": { "key": "tps_sslserver", "nickname": "Server-Cert cert-pki-tomcat", "directive": "tps.sslserver.cert", "configfile": "/var/lib/pki/pki-tomcat/tps/conf/CS.cfg", "msg": "Certificate 'Server-Cert cert-pki-tomcat' does not match the value of tps.sslserver.cert in /var/lib/pki/pki-tomcat/tps/conf/CS.cfg" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "TPSDogtagCertsConfigCheck", "result": "ERROR", "uuid": "3fb343e4-e052-4cdc-9af3-ed51864aa5ad", "when": "20200818215837Z", "duration": "0.185737", "kw": { "key": "tps_subsystem", "nickname": "subsystemCert cert-pki-tomcat", "directive": "tps.subsystem.cert", "configfile": "/var/lib/pki/pki-tomcat/tps/conf/CS.cfg", "msg": "Certificate 'subsystemCert cert-pki-tomcat' does not match the value of tps.subsystem.cert in /var/lib/pki/pki-tomcat/tps/conf/CS.cfg" } } ] Expected results: # pki-healthcheck --failures-only [] (No ERRORs reported) Additional info: 1. It was also observed in ipa-healthcheck: https://pagure.io/dogtagpki/issue/3202 2. Based on initial investigation, this part of the code might be causing the issue: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/deployment/__init__.py#L349-L355 3. Though the subsystems seem to be working without errors so far, we still would like to have copies of the cert in CS.cfg... In future, these redundant copies of cert will be removed from CS.cfg and the code will be altered to retrieve certs from its NSSDB.