Bug 824027

Summary:	ipa cert-status serialnumber on a ipa replica created with --setup-ca option throws "Error: Record not found"
Product:	Red Hat Enterprise Linux 7	Reporter:	Asha Akkiangady <aakkiang>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED WORKSFORME	QA Contact:	IDM QE LIST <seceng-idm-qe-list>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	dpal, jgalipea, mkosek
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-01-16 14:27:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Asha Akkiangady 2012-05-22 15:27:25 UTC

Description of problem:
ipa cert-status serialnumber on a ipa replica created with --setup-ca option throws "Error: Record not found"

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-14.el6

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server.
2. Install a ipa replica using --setup-ca  option.
3. Create a certificate
# kinit admin
Password for admin: 
# ipa service-add service_10499/wolverine.testrelm.com
# openssl req -out /tmp/certreq.18578.csr -new -newkey rsa:2048 -nodes -keyout /tmp/certprikey.32054.key
Generating a 2048 bit RSA private key
.....................................................+++
...........................................................................................................................................................................+++
writing new private key to '/tmp/certprikey.32054.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:Mountain View
Organization Name (eg, company) [Default Company Ltd]:IPS
Organizational Unit Name (eg, section) []:QA
Common Name (eg, your name or your server's hostname) []:wolverine.testrelm.com
Email Address []:ipaqa

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ipa cert-request --principal=service_10499/wolverine.testrelm.com /tmp/certreq.18578.csr > /tmp/certcreate.txt
# grep "Serial number"  /tmp/certcreate.txt | cut -d":" -f2 | xargs echo
268370018 0xFFF0062
# ipa cert-status 268370018
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Request ID 268370018 was not found in the request queue.)

Actual results:
/var/lib/pki-ca/logs/debug has this error:

[22/May/2012:10:59:57][TP-Processor2]: CMSServlet:service() uri = //ca/ee/ca/checkRequest
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet::service() param name='xml' value='true'
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet::service() param name='requestId' value='268370018'
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: caCheckRequest start to service.
[22/May/2012:10:59:57][TP-Processor2]: checkRequest: in process!
[22/May/2012:10:59:57][TP-Processor2]: IP: 10.16.96.82
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: no authMgrName
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: in auditSubjectID
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.16.96.82}
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: in auditGroupID
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.16.96.82}
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet auditGroupID: groupID: null
[22/May/2012:10:59:57][TP-Processor2]: checkACLS(): ACLEntry expressions= user="anybody"
[22/May/2012:10:59:57][TP-Processor2]: evaluating expressions: user="anybody"
[22/May/2012:10:59:57][TP-Processor2]: evaluated expression: user="anybody" to be true
[22/May/2012:10:59:57][TP-Processor2]: DirAclAuthz: authorization passed
[22/May/2012:10:59:57][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.ee.requestStatus][Op=read] authorization success

[22/May/2012:10:59:57][TP-Processor2]: In LdapBoundConnFactory::getConn()
[22/May/2012:10:59:57][TP-Processor2]: masterConn is connected: true
[22/May/2012:10:59:57][TP-Processor2]: getConn: conn is connected true
[22/May/2012:10:59:57][TP-Processor2]: getConn: mNumConns now 2
[22/May/2012:10:59:57][TP-Processor2]: returnConn: mNumConns now 3
[22/May/2012:10:59:57][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>] assume privileged role

[22/May/2012:10:59:57][TP-Processor2]: checkRequest: requestId 268370018
[22/May/2012:10:59:57][TP-Processor2]: In LdapBoundConnFactory::getConn()
[22/May/2012:10:59:57][TP-Processor2]: masterConn is connected: true
[22/May/2012:10:59:57][TP-Processor2]: getConn: conn is connected true
[22/May/2012:10:59:57][TP-Processor2]: getConn: mNumConns now 2
[22/May/2012:10:59:57][TP-Processor2]: Error: Record not found
Record not found
	at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:159)
	at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:115)
	at com.netscape.cmscore.request.RequestQueue.readRequest(RequestQueue.java:78)
	at com.netscape.cmscore.request.ARequestQueue.findRequest(ARequestQueue.java:310)
	at com.netscape.cms.servlet.request.CheckRequest.process(CheckRequest.java:266)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
	at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
	at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
	at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
	at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
	at java.lang.Thread.run(Thread.java:679)

Expected results:
ipa cert-status should respond with good info.

Additional info:
ipa cert-status works fine on a ipa client and a ipa replica created with no --setup-ca option.

Comment 4 Martin Kosek 2015-01-16 14:27:27 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

This error is not known to be happening with current versions of IdM/FreeIPA in RHEL-7 product. Also note that it was reported against RHEL-6/Dogtag 10, while current IdM/FreeIPA uses Dogtag 10 where the bug is likely to be already fixed.

If you happen to reproduce this bug, please feel free to reopen it.