Bug 701325

Summary: Unable to Download Certificate with Browser
Product: Red Hat Enterprise Linux 6 Reporter: Niranjan Mallapadi Raghavender <mniranja>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.3CC: benl, dpal, edewata, grajaiya, jgalipea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.3-3.el6 Doc Type: Bug Fix
Doc Text:
Cause: The X509v3 certificate in a host or service record in the Web UI was not properly formatted so was not easily usable. Consequence: One could not simply cut-and-paste the certificate and use it in PEM format. Fix: Convert the certificate from base64 into PEM format. Result: A certificate can be cut-and-pasted and used in PEM format.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:21:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 750914    

Description Niranjan Mallapadi Raghavender 2011-05-02 15:24:21 UTC 
Description of problem:

From Firefox Browser installed on RHEL6.1 IPA server, unable to donwload the Client Cert (Certificate for Host) . 

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-16.el6.x86_64
firefox-3.6.15-2.el6_0.x86_64

How reproducible:
1. kinit admin
2. firefox&
3. Click on Identity->Host-> Add a host-
4. Post the CSR and once signed, click on Get to copy and past the Certificate. 

5. run the openssl x509 -in file.crt -noout -text 

The actual result is:
openssl x509 -in dhcp210-7.crt -noout -text
unable to load certificate
140453227505480:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:807:


When selecting all from the browser and pasting it on text file, the CR/LF characters are not there , which makes the file unsable, so the only option is to run  the below command 


$ipa host-show  dhcp210-7.gsslab.pnq.redhat.com --out dhcp210-7.crt
  
Expected results:

The Enterprise IPA should provide a better method to download the certificate from browser.
Comment 2 Rob Crittenden 2011-05-02 18:47:16 UTC 
https://fedorahosted.org/freeipa/ticket/1201
Comment 3 Rob Crittenden 2011-10-21 15:38:55 UTC 
fixed upstream

master: 9a039acb224ab3dd6c739f141233000b50c28e6f
ipa-2-1: 9b7639a89df70bdd5cbc29c0393ebe53395e566f
Comment 6 Rob Crittenden 2011-10-31 18:22:12 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The X509v3 certificate in a host or service record in the Web UI was not properly formatted so was not easily usable.
Consequence: One could not simply cut-and-paste the certificate and use it in PEM format.
Fix: Convert the certificate from base64 into PEM format.
Result: A certificate can be cut-and-pasted and used in PEM format.
Comment 7 Niranjan Mallapadi Raghavender 2011-11-07 09:19:32 UTC 
Thanks for fixing this bug

1. I had verified the fix by  Adding the host from web-ui first 

2. Created certificate request for the host using the below command 
$openssl genrsa 1024 > juno.key

$openssl req -new -key juno.key -out juno.csr 

3. Submit the CSR , by following the below procedure
Login as admin to the web-ui->host-> select the host added, click on "New Certificate" and paste the CSR  created using step-2

4. Once Signed click on Get "To get the Certificate" , Copy the Contents and 
verify it using 
$openssl x509 -in <file-name> -noout -text

Thanks
Niranjan
Comment 8 Gowrishankar Rajaiyan 2011-11-07 10:08:36 UTC 
Thanks Niranjan for confirming this. 


1. openssl genrsa 1024 > sideswipe.key
2. openssl req -new -key sideswipe.key -out sideswipe.csr
3. Submit the CSR , by following the below procedure
Login as admin to the web-ui->host-> select the host added, click on "New
Certificate" and paste the CSR  created using step-2
4. Once Signed click on Get "To get the Certificate" , Copy the Contents and 
verify it using 

openssl x509 -in shanks.sideswipe --noout -text
[root@sideswipe ~]# openssl x509 -in shanks.sideswipe -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=LAB.ENG.PNQ.REDHAT.COM, CN=Certificate Authority
        Validity
            Not Before: Nov  7 10:02:54 2011 GMT
            Not After : Nov  7 10:02:54 2013 GMT
        Subject: O=LAB.ENG.PNQ.REDHAT.COM, CN=sideswipe.lab.eng.pnq.redhat.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:93:15:de:70:13:38:e5:c0:ae:aa:3c:39:95:2e:
                    37:d7:97:f5:b4:98:04:e0:19:0b:25:04:3f:72:a7:
                    92:ea:2f:8e:63:a3:f1:ce:60:c6:58:2d:cb:07:fc:
                    be:bc:00:ee:cb:e7:bc:79:e3:38:db:17:74:28:0a:
                    66:7d:d8:07:6d:0d:9c:44:13:bb:4b:c0:3d:e3:99:
                    6b:0a:4a:44:32:02:a3:76:a7:c6:40:79:f9:4d:18:
                    c0:3a:cc:d0:1e:fe:79:02:6d:72:fa:cb:df:b5:85:
                    34:78:6c:e6:af:74:20:c2:4e:18:9d:e9:2d:85:13:
                    d4:c5:88:3c:79:8e:4f:f5:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:1A:1A:3B:30:D9:CB:C1:FB:B6:42:10:D2:9F:F6:DA:FD:A0:48:1C:C0

            Authority Information Access: 
                OCSP - URI:http://decepticons.lab.eng.pnq.redhat.com:80/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
        d1:af:85:c9:b1:31:d4:16:01:50:a7:67:95:06:ca:e4:ed:bc:
        2a:cf:0e:dc:f5:0f:cc:26:a5:94:05:e6:8b:b7:60:07:34:48:
        9a:4d:1f:02:81:7e:27:ad:b9:de:66:dc:58:49:d7:2e:85:1b:
        84:a8:67:bd:ae:bb:ee:54:40:78:96:a9:df:5f:99:f3:d0:b6:
        1b:66:35:87:db:7f:f0:2e:22:f7:cd:17:1b:f8:37:0c:33:9a:
        82:2c:f9:4a:0f:c3:e7:26:3f:cd:11:79:61:7e:40:a6:7d:9d:
        98:75:fb:c6:70:ff:65:0c:31:73:1b:34:76:f6:bf:74:89:cb:
        ba:10:f7:13:3f:fa:98:a5:38:97:16:ee:65:af:a0:8e:43:a5:
        12:87:b1:67:6b:ba:ed:ed:26:44:44:5d:f4:f4:72:96:b7:63:
        57:e3:7a:d7:95:a3:fc:33:1e:f4:2d:0d:ce:00:ef:6e:23:72:
        02:17:c7:0a:57:68:8e:c9:8c:17:af:44:c3:2b:e1:d6:be:dd:
        93:a0:a2:9e:58:6e:69:79:bf:f7:25:58:23:8b:31:35:dd:71:
        f9:7e:3d:e5:35:3f:a2:3b:ea:92:9e:3f:00:31:da:20:bd:a2:
        5c:cf:71:7f:3f:b7:74:5e:ba:06:4d:91:85:c9:b5:a3:0b:58:
        f4:9e:50:55
[root@sideswipe ~]# 

Verified.
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#
Comment 9 errata-xmlrpc 2011-12-06 18:21:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html