1002639 – ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed as internal CA

Bug 1002639 - ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed as internal CA

Summary: ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-29 16:00 UTC by Jenny Severance
Modified:	2014-06-18 00:11 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-3.3.2-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:25:06 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jenny Severance 2013-08-29 16:00:57 UTC

Description of problem:
Rightly so, to support CAless installations, ipa-replica-prepare would need to have the pkcs11 pin supplied for access to the private key, but this should not cause a regression in the command when dogtag is installed as the internal CA.  In this case, it should not prompt for the PIN and I do not think the PIN is even known.



Version-Release number of selected component (if applicable):
latest RHEL 7 

How reproducible:
always

Steps to Reproduce:
1. run ipa-replica-prepare
2.
3.

Actual results:
Enter realm_info/httpcert.p12 unlock password:


Expected results:
with dogtag install no prompt for password that the installer does not know what it is

Additional info:

Comment 1 Jenny Severance 2013-08-29 16:02:12 UTC

meant pkcs12

Comment 3 Rob Crittenden 2013-08-30 12:12:21 UTC

I think an example is in order. Under what circumstances do you get prompted for a PKCS#12 file password?

Comment 4 Martin Kosek 2013-09-03 15:14:14 UTC

Jenny, can you please help us with a reproduction of this bug as Rob requested?

Comment 5 Martin Kosek 2013-09-03 15:54:05 UTC

Lowering the needinfo? request. I just found an e-mail on our team list with relevant information from Michael Gregg:

We have a replica test that is running a command similar to this:

ipa-replica-prepare -p Secret123 --ip-address=1.2.3.4 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='''

This ipa-replica-prepare still  seems to work on older builds ok IPA, but on newer versions seems to kick back asking the end user for a unknown password.

When I manually run this process, I get the following output:

[root@ipaqavmb tmp]# echo $ADMINPW | gpg --batch --passphrase-fd 0 -d
replica-info-ipaqavmc.testrelm.com.gpg | tar xvf -
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/configure.jar
realm_info/pwdfile.txt
realm_info/dscert.p12
realm_info/http_pin.txt
realm_info/krb.js
realm_info/ra.p12
realm_info/dogtag_directory_port.txt
realm_info/dirsrv_pin.txt
realm_info/pwdfile.txt.orig
realm_info/kerberosauth.xpi
realm_info/dogtagcert.p12
realm_info/cacert.p12
realm_info/httpcert.p12
realm_info/preferences.html
realm_info/realm_info
realm_info/ca.crt
[root@ipaqavmb tmp]# ipa-replica-prepare -p Secret123
--ip-address=1.2.3.5 ipaqavmc.testrelm.com
--dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin=''
--http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Enter realm_info/httpcert.p12 unlock password:

incorrect password for pkcs#12 file realm_info/httpcert.p12


As per Jan Cholasta's answer, this is a regression caused by https://fedorahosted.org/freeipa/ticket/3717.

I will clone a ticket to fix this.

Comment 6 Martin Kosek 2013-09-03 15:56:12 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3897

Comment 7 Petr Viktorin 2013-10-04 08:33:04 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/c6113ab89b010bd60eff4084b8d244dde2563dcf
ipa-2-2: https://fedorahosted.org/freeipa/changeset/3a4a7458c72bb70673520a546ba463ec7fc94bcf

Comment 9 Namita Soman 2013-11-12 15:36:35 UTC

Verified using ipa-server-3.3.2-5.el7.x86_64

Steps used below - and there was no promt to Enter realm_info/httpcert.p12 unlock password:

# gpg --batch --passphrase-fd 0 -d /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg | tar xvf -
DSSecret123
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/dirsrv_pin.txt
realm_info/cacert.p12
realm_info/pwdfile.txt.orig
realm_info/dscert.p12
realm_info/dogtagcert.p12
realm_info/dogtag_directory_port.txt
realm_info/http_pin.txt
realm_info/pwdfile.txt
realm_info/httpcert.p12
realm_info/ra.p12
realm_info/ca.crt
realm_info/preferences.html
realm_info/krb.js
realm_info/kerberosauth.xpi
realm_info/configure.jar
realm_info/realm_info


# ipa-replica-prepare --ip-address=1.2.3.4  hp-dl380pgen8-02-vm-1.testrelm.com -p DSSecret123 --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Preparing replica for hp-dl380pgen8-02-vm-1.testrelm.com from qeblade6.testrelm.com
Copying SSL certificate for the Directory Server from realm_info/dscert.p12
Copying SSL certificate for the Web Server from realm_info/httpcert.p12
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg
Adding DNS records for hp-dl380pgen8-02-vm-1.testrelm.com
Using reverse zone 3.2.1.in-addr.arpa.
The ipa-replica-prepare command was successful

Comment 10 Ludek Smid 2014-06-13 10:25:06 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.