Bug 675789

Summary:	Profile caIPAserviceCert Not Found
Product:	Red Hat Enterprise Linux 6	Reporter:	Dmitri Pal <dpal>
Component:	ipa	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED ERRATA	QA Contact:	Chandrasekar Kannan <ckannan>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	6.1	CC:	awnuk, benl, jgalipea, rcritten, syeghiay
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-2.0.0-12.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	675742	Environment:
Last Closed:	2011-05-19 13:44:26 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:	675742
Bug Blocks:

Description Dmitri Pal 2011-02-07 18:44:13 UTC

+++ This bug was initially created as a clone of Bug #675742 +++

Description of problem:

I'm unable to generate certificates using the caIPAserviceCert profile:

# ipa cert-request --add --principal=HTTP/panther.example.com panther.csr
ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found)

I found a java trace in debug:

[07/Feb/2011:10:28:58][main]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[07/Feb/2011:10:28:58][main]: input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
input stream error /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
        at com.netscape.cmscore.base.FileConfigStore.load(FileConfigStore.java:77)
        at com.netscape.cmscore.base.FileConfigStore.<init>(FileConfigStore.java:60)
        at com.netscape.cmscore.apps.CMSEngine.createFileConfigStore(CMSEngine.java:557)
        at com.netscape.certsrv.apps.CMS.createFileConfigStore(CMS.java:1554)
        at com.netscape.cmscore.profile.ProfileSubsystem.createProfile(ProfileSubsystem.java:119)
        at com.netscape.cmscore.profile.ProfileSubsystem.init(ProfileSubsystem.java:94)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[07/Feb/2011:10:28:58][main]: Done Profile Creation - caIPAserviceCert

Version-Release number of selected component (if applicable):

pki-ca-9.0.2-1.fc14.noarch

--- Additional comment from rcritten on 2011-02-07 10:39:16 EST ---

Created attachment 477436 [details]
caIPAserviceCert.cfg

Comment 2 Andrew Wnuk 2011-02-10 22:35:39 UTC

IPA installer modifies caIPAserviceCert profile by adding instance specific names for example:
  policyset.serverCertSet.1.default.params.name=
     CN=$request.req_subject_name.cn$, O=SJC.REDHAT.COM
or
  policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
    https://works4me.sjc.redhat.com/ipa/crl/MasterCRL.bin

Above modification are also causing change of file ownership from 
  -rw-rw----. 1 pkiuser pkiuser  6215 Feb  1 14:04 caIPAserviceCert.cfg
to 
  -rw-rw----. 1 root root  6215 Feb  1 14:04 caIPAserviceCert.cfg

IPA installer after profile update should run command like
 "chown pkiuser:pkiuser caIPAserviceCert.cfg"
to recover original file ownership.

Note that user and group names have to synchronized with parameters used by pkicreate.
 
pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca          \
          -subsystem_type=ca                 \
          -agent_secure_port=9443            \
          -ee_secure_port=9444               \
          -ee_secure_client_auth_port=9446   \
          -admin_secure_port=9445            \
          -unsecure_port=9180                \
          -tomcat_server_port=9701           \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ca         \
          -redirect logs=/var/log/pki-ca     \
          -verbose

Comment 3 Rob Crittenden 2011-02-14 19:05:58 UTC

I think dogtag should raise an appropriate error message when a file cannot be opened for reading.

Comment 4 Rob Crittenden 2011-02-22 22:15:20 UTC

fixed in IPA in commit 95b0563817c20bd7d7d82719d8baf8eac2bc9098

Comment 6 Jenny Severance 2011-03-11 17:53:59 UTC

verified:

# ls -al /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg 
-rw-rw----. 1 pkiuser pkiuser 6217 Mar 11 11:39 /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg


Version:
ipa-server-2.0.0-13.el6.x86_64

Comment 7 errata-xmlrpc 2011-05-19 13:44:26 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html