| Summary: | ipa-getcert : cert request success when wrong token is given | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Yi Zhang <yzhang> |
| Component: | certmonger | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dpal, jgalipea, kchamart, ksiddiqu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | certmonger-0.45-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 17:37:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Yi Zhang
2011-04-15 17:33:17 UTC
What's the output from 'ipa-getcert list' after this? I'd expect the daemon to start working the request and then get stalled on it once it tries to locate the token. [x86_64.b root@dhcp-122 ~] ipa-getcert request -d /etc/pki/nssdb -n GetCertTest-request-001 "201107180001" NoSuchToken New signing request "20110719172835" added. =========== and cert list is below: ============================================ [x86_64.b root@dhcp-122 ~] ipa-getcert list Number of certificates and requests being tracked: 4. Request ID '20110714171343': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SJC-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SJC-REDHAT-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SJC-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SJC.REDHAT.COM subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM expires: 2012-01-10 17:13:42 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110714171410': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SJC.REDHAT.COM subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM expires: 2012-01-10 17:14:10 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110714171432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SJC.REDHAT.COM subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM expires: 2012-01-10 17:14:31 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110719172835': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='GetCertTest-request-001',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='GetCertTest-request-001',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SJC.REDHAT.COM subject: CN=dhcp-122.sjc.redhat.com,O=SJC.REDHAT.COM expires: 2012-01-15 17:28:38 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ================= end of cert list ============= the newly added cert in my new test is the very last one. Additional information: here is command I used to create such cert: [x86_64.b root@dhcp-122 ~] ipa-getcert request -d /etc/pki/nssdb -n GetCertTest-request-001 "201107180001" NoSuchToken New signing request "20110719172835" added. <=== system response [x86_64.b root@dhcp-122 /etc/pki/nssdb] modutil -dbdir . -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB ----------------------------------------------------------- continuing the last post, here are the test environment information: [x86_64.b root@dhcp-122 /etc/pki/nssdb] rpm -qa | grep ipa-server ipa-server-2.0.99-3.20110714T0516zgita746c61.el6.x86_64 ipa-server-selinux-2.0.99-3.20110714T0516zgita746c61.el6.x86_64 [x86_64.b root@dhcp-122 /etc/pki/nssdb] rpm -qa | grep ipa-client ipa-client-2.0.99-3.20110714T0516zgita746c61.el6.x86_64 [x86_64.b root@dhcp-122 /etc/pki/nssdb] rpm -qa | grep certmonger certmonger-0.42-1.20110512T0414z.el6.x86_64 [x86_64.b root@dhcp-122 /etc/pki/nssdb] You're not using the -t flag when specifying the token name in comment #3. Snapshots dated 2011-07-19 18:17 UTC and later should start printing an error when this is done. Verified. RHEL Version: ============= [root@dhcp201-220 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) Certmonger Version: ================== [root@dhcp201-220 ~]# rpm -q certmonger certmonger-0.48-1.el6.x86_64 [root@dhcp201-220 ~]# Steps used to verify: ===================== (1)Install certmonger and nss-tools [root@dhcp201-220 kaleem]# yum install certmonger -y Loaded plugins: product-id, subscription-manager Installed products updated. Installed: certmonger.x86_64 0:0.48-1.el6 (2)Start certmonger service (make sure Dbus service is running) [root@dhcp201-220 ~]# service certmonger start Starting certmonger: [ OK ] [root@dhcp201-220 ~]# (3)Make a temp directory and change it into NSS db.Also change selinux context so that key-pairs can be generated. [root@dhcp201-220 ~]# mkdir /tmp/kaleem [root@dhcp201-220 ~]# chcon -t cert_t /tmp/kaleem/ [root@dhcp201-220 ~]# ls -lZ /tmp/ |grep kaleem drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0 kaleem [root@dhcp201-220 ~]# certutil -N -d /tmp/kaleem/ Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [root@dhcp201-220 ~]# (5)Now try to generate a certifiate in this NSS db on providing Incorrect token name and check the cert request status [root@dhcp201-220 ~]# getcert request -d /tmp/kaleem/ -n Test -t "Fake Token" New signing request "20111003062129" added. [root@dhcp201-220 ~]# getcert list Number of certificates and requests being tracked: 1. Request ID '20111003062129': status: NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN stuck: yes key pair storage: type=NSSDB,location='/tmp/kaleem',nickname='Test',token='Fake Token' certificate: type=NSSDB,location='/tmp/kaleem',nickname='Test',token='Fake Token' issuer: subject: expires: unknown track: yes auto-renew: yes [root@dhcp201-220 ~]# Here cert status is "NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN" Result: ====== So now on providing non-existing token name , cert status is "NEWLY_ADDED_NEED_KEYINFO_READ_TOKEN" instead of "MONITORING". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1708.html |