Bug 999255
Summary: | ipa cert-find --revocation=reason 1 finds certs expired for reason 1 and reason 10 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michael Gregg <mgregg> |
Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | alee, mgregg, nkinder, rcritten |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.0.5-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 12:02:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Gregg
2013-08-21 03:32:26 UTC
Can you try the same search using the pki command? % pki cert-find --revocationReason 1 This will help narrow down whether the problem is in the way that IPA is calling the CS API or a problem with CS. It appears that "pki cert-find --revocationReason 1" does find certs expired for reason 1 and reason 10. So, is this expected behavior, or is this a pki bug? [root@ipaqa64vmd ~]# ipa cert-revoke --revocation-reason=1 26 Revoked: True [root@ipaqa64vmd ~]# ipa cert-revoke --revocation-reason=10 27 Revoked: True [root@ipaqa64vmd ~]# pki cert-find --revocationReason 1 ---------------------- 2 certificate(s) found ---------------------- Serial Number: 0x1a Subject DN: CN=ipaqa64vmd.testrelm.com,O=TESTRELM.COM Status: REVOKED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Wed Aug 21 13:59:48 EDT 2013 Not Valid After: Sat Aug 22 13:59:48 EDT 2015 Issued On: Wed Aug 21 13:59:48 EDT 2013 Issued By: ipara Serial Number: 0x1b Subject DN: CN=ipaqa64vmd.testrelm.com,O=TESTRELM.COM Status: REVOKED Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Wed Aug 21 14:00:46 EDT 2013 Not Valid After: Sat Aug 22 14:00:46 EDT 2015 Issued On: Wed Aug 21 14:00:46 EDT 2013 Issued By: ipara ---------------------------- Number of entries returned 2 Ok, re-assigning this to the pki team. Upstream ticket: https://fedorahosted.org/pki/ticket/712 Verified using ipa-server-3.3.3-4, pki-ca-10.0.5-2 Test output from automated run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-cert-bugzilla-004: LDAP cert-find --revocation-reason=1 find certs for reason 1 and reason 10 bz999255 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:10:25 ] :: Ip address is 10.16.98.179 :: [ 14:10:25 ] :: creating new host with IP 10.16.98.180 ------------------------------------------ Added host "testhostbz999255.testrelm.com" ------------------------------------------ Host name: testhostbz999255.testrelm.com Principal name: host/testhostbz999255.testrelm.com Password: False Keytab: False Managed by: testhostbz999255.testrelm.com :: [ PASS ] :: Creating host to test with this BZ test (Expected 0, got 0) openssl req -new -config /opt/rhqa_ipa/testhostBZ999255.testrelm.com.cert-req.conf -out /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr Generating a 2048 bit RSA private key ..........+++ ..................+++ writing new private key to 'teste.key' ----- :: [ PASS ] :: Create a new CSR to work withnhost (Expected 0, got 0) ipa cert-request --add --principal=INVALIDA/testhostBZ999255.testrelm.com /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr Certificate: MIIEHzCCAwegAwIBAgIBPjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMTUxOTEwMjlaFw0xNTExMTYxOTEwMjlaMD8xFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEmMCQGA1UEAxMddGVzdGhvc3RCWjk5OTI1NS50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3WCnTnFoegCIvPKyCq0g3ZP4OqvnycFWtXtjiYSUNJzQY8lrTfF8i5FARWmK64zl+sxcbE0hP52xo9EPTY2Do1fJMfYD9qniOpZjsGViEgCx3tdT/GzQ+uCC9RdAEPDNjFxlARrjYYax9xPzJ4Pb5p2gD/T3HvRG6eYqzrMb4kOT+iqFaOkjGRpzbSBmXxg/eBfZzstBMvBNJWHilHEn+yMc6EzwGDLmmgzx75gX3fQsxDJZkiiqQmQOHcT/38OCLdV8g8ym4dAfFxGThkC9EhFRLUbQM5lE9H3RdxLIGM4fxslOr9vME+Yk0Feaa+AsGLgwiDUqoIpINy/7Xg2jjAgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBRvSHGseMcXg9zGzQlvoF5PKo6XcDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EudGVzdHJlbG0uY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLnRlc3RyZWxtLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoTBWlwYWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFBortNXLuiykpeTS/sKqw89JlTISMA0GCSqGSIb3DQEBCwUAA4IBAQCrm8XWtK6ds9hGVuj1r4tElSxSXEY7t5PxX2EcedTC5eaZcXdWCHKOtxCxTyMIVDjTPZqILcKWNk0uu9aSJlbSUaV8FJ3Ez0kFsEwLUIDt90e0vP9ZVZm1AKVk2mK/9UuputOlGbY2BFwj7RcXCMJsi5Skl0wuqJdDBNdq2FWsrdsLWK668+EWaKnAOQD3I9I9S3urDYmQrI5PbqQzqANtoEkjDgt1JZmPtAAOhqSUnHPzWu86S25NhrPaCRep1Ci+zHmKQFdEor4gCjX1hboFzsLBG5loAqqyJuZTz/LYTINrvjghnDB7FPSNhykodWK0dTzUMPyHMIYQhyIJfmPf Subject: CN=testhostBZ999255.testrelm.com,O=TESTRELM.COM Issuer: CN=Certificate Authority,O=TESTRELM.COM Not Before: Fri Nov 15 19:10:29 2013 UTC Not After: Mon Nov 16 19:10:29 2015 UTC Fingerprint (MD5): 9a:64:89:9f:f9:ab:22:39:b1:39:5d:0a:06:70:d7:62 Fingerprint (SHA1): c2:9f:9a:81:e2:f7:75:32:a7:b1:37:a9:c6:2e:58:d5:c8:0e:d7:c0 Serial number: 62 Serial number (hex): 0x3E :: [ PASS ] :: Request the csr into IPA (Expected 0, got 0) ipa cert-request --add --principal=INVALIDB/testhostBZ999255.testrelm.com /opt/rhqa_ipa/testhostBZ999255.testrelm.com-cert-req.csr Certificate: MIIEHzCCAwegAwIBAgIBPzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMTUxOTEwMzFaFw0xNTExMTYxOTEwMzFaMD8xFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEmMCQGA1UEAxMddGVzdGhvc3RCWjk5OTI1NS50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3WCnTnFoegCIvPKyCq0g3ZP4OqvnycFWtXtjiYSUNJzQY8lrTfF8i5FARWmK64zl+sxcbE0hP52xo9EPTY2Do1fJMfYD9qniOpZjsGViEgCx3tdT/GzQ+uCC9RdAEPDNjFxlARrjYYax9xPzJ4Pb5p2gD/T3HvRG6eYqzrMb4kOT+iqFaOkjGRpzbSBmXxg/eBfZzstBMvBNJWHilHEn+yMc6EzwGDLmmgzx75gX3fQsxDJZkiiqQmQOHcT/38OCLdV8g8ym4dAfFxGThkC9EhFRLUbQM5lE9H3RdxLIGM4fxslOr9vME+Yk0Feaa+AsGLgwiDUqoIpINy/7Xg2jjAgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBRvSHGseMcXg9zGzQlvoF5PKo6XcDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EudGVzdHJlbG0uY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLnRlc3RyZWxtLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoTBWlwYWNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFBortNXLuiykpeTS/sKqw89JlTISMA0GCSqGSIb3DQEBCwUAA4IBAQDiww1T3v4NlB11RZAL4DmNgo65xaWzdZTCO0L40VMXHBf4QqXozlUdh8GFQCXvyj8OlB6om6K3Qok6OhKjEfHWyfaCsxcDoeU0dUjcl8rx8YfCYuhlC2iT/uGSSMF5Up2SirqCF0+KjwignUvHTDFKfrQY0h4zFpA141QlOklSMqdjL28/HU6IzcmDfC/RDlS6a9AgRMQC0Q6jY8g4UBx6nMC0Z4uKfGqvt0ZTGTfptIZhbFJ/NHf21+uZcwTy7Udki34H4ieVQCuz3zbzx2PRVxLLbziVMQOw5vCnzXfsMjyFMOLqIckN8Oyj8aIUCicYk5hctmvKuGPMLnVySRzo Subject: CN=testhostBZ999255.testrelm.com,O=TESTRELM.COM Issuer: CN=Certificate Authority,O=TESTRELM.COM Not Before: Fri Nov 15 19:10:31 2013 UTC Not After: Mon Nov 16 19:10:31 2015 UTC Fingerprint (MD5): a4:7a:b0:87:50:9d:0e:b5:ea:f0:5e:89:4e:d6:b8:a2 Fingerprint (SHA1): 65:a5:ff:b7:83:38:b6:37:c0:3d:22:e5:1a:ef:e8:23:e3:1e:e1:fd Serial number: 63 Serial number (hex): 0x3F :: [ PASS ] :: Request the csr into IPA (Expected 0, got 0) Revoked: True :: [ PASS ] :: Revoke cert 62 for reason 1 (Expected 0, got 0) Revoked: True :: [ PASS ] :: Revoke cert 63 for reason 10 (Expected 0, got 0) :: [ PASS ] :: The correct number of revoded certs were returned for reasons 1 and 10. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |