This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1002639 - ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed as internal CA
ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-29 12:00 EDT by Jenny Galipeau
Modified: 2014-06-17 20:11 EDT (History)
5 users (show)

See Also:
Fixed In Version: ipa-3.3.2-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:25:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jenny Galipeau 2013-08-29 12:00:57 EDT
Description of problem:
Rightly so, to support CAless installations, ipa-replica-prepare would need to have the pkcs11 pin supplied for access to the private key, but this should not cause a regression in the command when dogtag is installed as the internal CA.  In this case, it should not prompt for the PIN and I do not think the PIN is even known.



Version-Release number of selected component (if applicable):
latest RHEL 7 

How reproducible:
always

Steps to Reproduce:
1. run ipa-replica-prepare
2.
3.

Actual results:
Enter realm_info/httpcert.p12 unlock password:


Expected results:
with dogtag install no prompt for password that the installer does not know what it is

Additional info:
Comment 1 Jenny Galipeau 2013-08-29 12:02:12 EDT
meant pkcs12
Comment 3 Rob Crittenden 2013-08-30 08:12:21 EDT
I think an example is in order. Under what circumstances do you get prompted for a PKCS#12 file password?
Comment 4 Martin Kosek 2013-09-03 11:14:14 EDT
Jenny, can you please help us with a reproduction of this bug as Rob requested?
Comment 5 Martin Kosek 2013-09-03 11:54:05 EDT
Lowering the needinfo? request. I just found an e-mail on our team list with relevant information from Michael Gregg:

We have a replica test that is running a command similar to this:

ipa-replica-prepare -p Secret123 --ip-address=1.2.3.4 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='''

This ipa-replica-prepare still  seems to work on older builds ok IPA, but on newer versions seems to kick back asking the end user for a unknown password.

When I manually run this process, I get the following output:

[root@ipaqavmb tmp]# echo $ADMINPW | gpg --batch --passphrase-fd 0 -d
replica-info-ipaqavmc.testrelm.com.gpg | tar xvf -
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/configure.jar
realm_info/pwdfile.txt
realm_info/dscert.p12
realm_info/http_pin.txt
realm_info/krb.js
realm_info/ra.p12
realm_info/dogtag_directory_port.txt
realm_info/dirsrv_pin.txt
realm_info/pwdfile.txt.orig
realm_info/kerberosauth.xpi
realm_info/dogtagcert.p12
realm_info/cacert.p12
realm_info/httpcert.p12
realm_info/preferences.html
realm_info/realm_info
realm_info/ca.crt
[root@ipaqavmb tmp]# ipa-replica-prepare -p Secret123
--ip-address=1.2.3.5 ipaqavmc.testrelm.com
--dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin=''
--http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Enter realm_info/httpcert.p12 unlock password:

incorrect password for pkcs#12 file realm_info/httpcert.p12


As per Jan Cholasta's answer, this is a regression caused by https://fedorahosted.org/freeipa/ticket/3717.

I will clone a ticket to fix this.
Comment 6 Martin Kosek 2013-09-03 11:56:12 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3897
Comment 9 Namita Soman 2013-11-12 10:36:35 EST
Verified using ipa-server-3.3.2-5.el7.x86_64

Steps used below - and there was no promt to Enter realm_info/httpcert.p12 unlock password:

# gpg --batch --passphrase-fd 0 -d /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg | tar xvf -
DSSecret123
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
realm_info/
realm_info/dirsrv_pin.txt
realm_info/cacert.p12
realm_info/pwdfile.txt.orig
realm_info/dscert.p12
realm_info/dogtagcert.p12
realm_info/dogtag_directory_port.txt
realm_info/http_pin.txt
realm_info/pwdfile.txt
realm_info/httpcert.p12
realm_info/ra.p12
realm_info/ca.crt
realm_info/preferences.html
realm_info/krb.js
realm_info/kerberosauth.xpi
realm_info/configure.jar
realm_info/realm_info


# ipa-replica-prepare --ip-address=1.2.3.4  hp-dl380pgen8-02-vm-1.testrelm.com -p DSSecret123 --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin=''
Preparing replica for hp-dl380pgen8-02-vm-1.testrelm.com from qeblade6.testrelm.com
Copying SSL certificate for the Directory Server from realm_info/dscert.p12
Copying SSL certificate for the Web Server from realm_info/httpcert.p12
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg
Adding DNS records for hp-dl380pgen8-02-vm-1.testrelm.com
Using reverse zone 3.2.1.in-addr.arpa.
The ipa-replica-prepare command was successful
Comment 10 Ludek Smid 2014-06-13 06:25:06 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.