Bug 1170003 – RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1170003 - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert

Summary:	RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jan Cholasta
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1168850
	Show dependency tree / graph

Reported:	2014-12-02 19:35 EST by Scott Poore
Modified:	2015-03-05 05:18 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	ipa-4.1.0-11.el7
Doc Type:	Bug Fix
Doc Text:	The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: The ipa-cacert-manage tool always requests renewal of Certification Authority (CA) certificates previously issued by the IPA CA. CA certificates issued by an external CA cause the request to fail. As a consequence, if IPA CA was initially installed as a subordinate of an external CA, it is not possible to change the IPA CA certificate to self-signed using ipa-cacert-manage. There is no known workaround at the moment.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 05:18:45 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 09:50:39 EST

Groups: None (edit)

Description Scott Poore 2014-12-02 19:35:54 EST

Description of problem:

I'm trying to change the CA cert for IPA from externally signed (by MS ADCS) to self-signed.  I'm getting "Record not found" errors for the cert request.

[root@rhel7-3 log]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141202205804', please check the request manually


[root@rhel7-3 log]# getcert list -i 20141202205804
Number of certificates and requests being tracked: 8.
Request ID '20141202205804':
	status: MONITORING
	ca-error: Server at "http://rhel7-3.example.com:8080/ca/ee/ca/profileSubmit" replied: Record not found
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='321598787049'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=subdom1-ADCS2-CA,DC=subdom1,DC=adroot2,DC=example,DC=com
	subject: CN=Certificate Authority,O=EXAMPLE.COM
	expires: 2016-11-11 01:22:59 UTC
	key usage: digitalSignature,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
# Note this requires a working MS ADCS server.

1.  Install IPA with externally signed CA cert

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-ca

# copy ipa.csr to ADCS server and sign and copy back

# also copy ADCS CA cert chain back as DER p7b file.

# openssl pkcs7 -print_certs -in /root/adcs2.p7b -inform DER -out /root/adcs2.pem

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs2.pem 

2.  Renew CA and change chaining from external to self-signed.

ipa-cacert-manage renew --self-signed

3.  Update clientsige:

ipa-certupdate

Actual results:
failure listed above

Expected results:
No failure and CA cert changed from externally signed to self-signed.

Additional info:

Comment 2 Jan Cholasta 2014-12-03 00:41:16 EST

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4784

Comment 5 Petr Vobornik 2014-12-09 07:18:27 EST

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1f6fff2b5aea7f92e3321870ea59661b127ab50a
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7f1db9303e14fc7b3f505cf63d21544197ea6047

Comment 7 Scott Poore 2014-12-12 15:00:46 EST

Verified.

Version ::

ipa-server-4.1.0-12.el7.x86_64

Results ::

Reproducing the issue first:

[root@rhel7-3 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141212192131', please check the request manually

Then update to fixed version ::

[root@rhel7-3 ~]# yum update ipa-server
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
beaker-client                                                                   | 1.5 kB  00:00:00     
beaker-rhel-7.1-beta-optional                                                   | 3.8 kB  00:00:00     
beaker-rhel-7.1-beta-server                                                     | 4.1 kB  00:00:00     
spoore-r7                                                                       | 1.3 kB  00:00:00     
spoore-r7/primary                                                               | 6.4 kB  00:00:01     
spoore-r7                                                                                        10/10
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-server.x86_64 0:4.1.0-12.el7 will be an update
--> Processing Dependency: ipa-python = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Processing Dependency: ipa-client = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Processing Dependency: ipa-admintools = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-admintools.x86_64 0:4.1.0-12.el7 will be an update
---> Package ipa-client.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-client.x86_64 0:4.1.0-12.el7 will be an update
---> Package ipa-python.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-python.x86_64 0:4.1.0-12.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                    Arch               Version                     Repository             Size
=======================================================================================================
Updating:
 ipa-server                 x86_64             4.1.0-12.el7                spoore-r7             1.1 M
Updating for dependencies:
 ipa-admintools             x86_64             4.1.0-12.el7                spoore-r7              60 k
 ipa-client                 x86_64             4.1.0-12.el7                spoore-r7             191 k
 ipa-python                 x86_64             4.1.0-12.el7                spoore-r7             1.1 M

Transaction Summary
=======================================================================================================
Upgrade  1 Package (+3 Dependent packages)

Total download size: 2.4 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): ipa-client-4.1.0-12.el7.x86_64.rpm                                       | 191 kB  00:00:03     
(2/4): ipa-admintools-4.1.0-12.el7.x86_64.rpm                                   |  60 kB  00:00:05     
(3/4): ipa-python-4.1.0-12.el7.x86_64.rpm                                       | 1.1 MB  00:00:24     
(4/4): ipa-server-4.1.0-12.el7.x86_64.rpm                                       | 1.1 MB  00:00:25     
-------------------------------------------------------------------------------------------------------
Total                                                                   82 kB/s | 2.4 MB  00:00:30     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : ipa-python-4.1.0-12.el7.x86_64                                                      1/8 
  Updating   : ipa-client-4.1.0-12.el7.x86_64                                                      2/8 
Could not load host key: /etc/ssh/ssh_host_dsa_key
  Updating   : ipa-admintools-4.1.0-12.el7.x86_64                                                  3/8 
  Updating   : ipa-server-4.1.0-12.el7.x86_64                                                      4/8 
  Cleanup    : ipa-server-4.1.0-10.el7.x86_64                                                      5/8 
  Cleanup    : ipa-admintools-4.1.0-10.el7.x86_64                                                  6/8 
  Cleanup    : ipa-client-4.1.0-10.el7.x86_64                                                      7/8 
  Cleanup    : ipa-python-4.1.0-10.el7.x86_64                                                      8/8 
beaker-rhel-7.1-beta-server/productid                                           | 1.6 kB  00:00:00     
  Verifying  : ipa-server-4.1.0-12.el7.x86_64                                                      1/8 
  Verifying  : ipa-python-4.1.0-12.el7.x86_64                                                      2/8 
  Verifying  : ipa-client-4.1.0-12.el7.x86_64                                                      3/8 
  Verifying  : ipa-admintools-4.1.0-12.el7.x86_64                                                  4/8 
  Verifying  : ipa-admintools-4.1.0-10.el7.x86_64                                                  5/8 
  Verifying  : ipa-server-4.1.0-10.el7.x86_64                                                      6/8 
  Verifying  : ipa-python-4.1.0-10.el7.x86_64                                                      7/8 
  Verifying  : ipa-client-4.1.0-10.el7.x86_64                                                      8/8 

Updated:
  ipa-server.x86_64 0:4.1.0-12.el7                                                                     

Dependency Updated:
  ipa-admintools.x86_64 0:4.1.0-12.el7                 ipa-client.x86_64 0:4.1.0-12.el7                
  ipa-python.x86_64 0:4.1.0-12.el7                    

Complete!

And see it work the second time:


[root@rhel7-3 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

Comment 9 errata-xmlrpc 2015-03-05 05:18:45 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.