Bug 747991

Summary: non-CA is allowed to be used as an external CA signer.
Product: Red Hat Enterprise Linux 7 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, jgalipea, kchamart, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-16 12:03:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 796295    
Bug Blocks: 756082    

Description Gowrishankar Rajaiyan 2011-10-21 16:14:29 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.2-2.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
# ipa-server-install --external-ca
# mkdir ipa-ca
# cd ipa-ca/
# certutil -N -d . -f /root/pwdfile.txt
# certutil -G -d . -z /root/noise.txt -f /root/pwdfile.txt
# certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /root/noise.txt -f /root/pwdfile.txt
# certutil -C -m 2345 -i /root/ipa.csr -o ipacacert.crt -c "CA certificate" -d . -a -f /root/pwdfile.txt
# certutil -A -n ipa-ca -t "u,u,u" -i ipacacert.crt -d . -a
# certutil -L -d . -n "CA certificate" -a > cacert.asc
# ls
cacert.asc  cert8.db  ipacacert.crt  ipacert.req  key3.db  secmod.db

# ipa-server-install --external_cert_file=/root/ipa-ca/ipacacert.crt --external_ca_file=/root/ipa-ca/cacert.asc 


Actual results: ipa-server-install setup is completed successfully. However ipa commands fail.

ipa user-find
ipa: ERROR: cert validation failed for "CN=ratchet.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
ipa: ERROR: cannot connect to u'https://ratchet.lab.eng.pnq.redhat.com/ipa/xml': [Errno -8179] (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.

Expected results:
non-CA should not be allowed to be used as an external CA signer.

Additional info:

[root@ratchet alias]# certutil -d . -L 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=CAcert                                                    CT,C,C
Server-Cert                                                  u,u,u
LAB.ENG.PNQ.REDHAT.COM IPA CA                                CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u
[root@ratchet alias]#
Comment 1 Rob Crittenden 2011-10-21 16:17:35 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2019
Comment 6 Martin Kosek 2015-01-16 12:03:57 UTC 
External CA configuration tools and option validation were being addressed in
https://fedorahosted.org/freeipa/ticket/4480
https://bugzilla.redhat.com/show_bug.cgi?id=886645

If you still reproduce the issue with FreeIPA/IdM 4.1 or later, please feel free to reopen the bug.