RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1170003 - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert
Summary: RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jan Cholasta
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1168850
TreeView+ depends on / blocked
 
Reported: 2014-12-03 00:35 UTC by Scott Poore
Modified: 2015-03-05 10:18 UTC (History)
5 users (show)

Fixed In Version: ipa-4.1.0-11.el7
Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: The ipa-cacert-manage tool always requests renewal of Certification Authority (CA) certificates previously issued by the IPA CA. CA certificates issued by an external CA cause the request to fail. As a consequence, if IPA CA was initially installed as a subordinate of an external CA, it is not possible to change the IPA CA certificate to self-signed using ipa-cacert-manage. There is no known workaround at the moment.
Clone Of:
Environment:
Last Closed: 2015-03-05 10:18:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Scott Poore 2014-12-03 00:35:54 UTC 
Description of problem:

I'm trying to change the CA cert for IPA from externally signed (by MS ADCS) to self-signed.  I'm getting "Record not found" errors for the cert request.

[root@rhel7-3 log]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141202205804', please check the request manually


[root@rhel7-3 log]# getcert list -i 20141202205804
Number of certificates and requests being tracked: 8.
Request ID '20141202205804':
	status: MONITORING
	ca-error: Server at "http://rhel7-3.example.com:8080/ca/ee/ca/profileSubmit" replied: Record not found
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='321598787049'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=subdom1-ADCS2-CA,DC=subdom1,DC=adroot2,DC=example,DC=com
	subject: CN=Certificate Authority,O=EXAMPLE.COM
	expires: 2016-11-11 01:22:59 UTC
	key usage: digitalSignature,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
# Note this requires a working MS ADCS server.

1.  Install IPA with externally signed CA cert

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-ca

# copy ipa.csr to ADCS server and sign and copy back

# also copy ADCS CA cert chain back as DER p7b file.

# openssl pkcs7 -print_certs -in /root/adcs2.p7b -inform DER -out /root/adcs2.pem

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs2.pem 

2.  Renew CA and change chaining from external to self-signed.

ipa-cacert-manage renew --self-signed

3.  Update clientsige:

ipa-certupdate

Actual results:
failure listed above

Expected results:
No failure and CA cert changed from externally signed to self-signed.

Additional info:
Comment 2 Jan Cholasta 2014-12-03 05:41:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4784
Comment 5 Petr Vobornik 2014-12-09 12:18:27 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1f6fff2b5aea7f92e3321870ea59661b127ab50a
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7f1db9303e14fc7b3f505cf63d21544197ea6047
Comment 7 Scott Poore 2014-12-12 20:00:46 UTC 
Verified.

Version ::

ipa-server-4.1.0-12.el7.x86_64

Results ::

Reproducing the issue first:

[root@rhel7-3 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141212192131', please check the request manually

Then update to fixed version ::

[root@rhel7-3 ~]# yum update ipa-server
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
beaker-client                                                                   | 1.5 kB  00:00:00     
beaker-rhel-7.1-beta-optional                                                   | 3.8 kB  00:00:00     
beaker-rhel-7.1-beta-server                                                     | 4.1 kB  00:00:00     
spoore-r7                                                                       | 1.3 kB  00:00:00     
spoore-r7/primary                                                               | 6.4 kB  00:00:01     
spoore-r7                                                                                        10/10
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-server.x86_64 0:4.1.0-12.el7 will be an update
--> Processing Dependency: ipa-python = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Processing Dependency: ipa-client = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Processing Dependency: ipa-admintools = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-admintools.x86_64 0:4.1.0-12.el7 will be an update
---> Package ipa-client.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-client.x86_64 0:4.1.0-12.el7 will be an update
---> Package ipa-python.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-python.x86_64 0:4.1.0-12.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                    Arch               Version                     Repository             Size
=======================================================================================================
Updating:
 ipa-server                 x86_64             4.1.0-12.el7                spoore-r7             1.1 M
Updating for dependencies:
 ipa-admintools             x86_64             4.1.0-12.el7                spoore-r7              60 k
 ipa-client                 x86_64             4.1.0-12.el7                spoore-r7             191 k
 ipa-python                 x86_64             4.1.0-12.el7                spoore-r7             1.1 M

Transaction Summary
=======================================================================================================
Upgrade  1 Package (+3 Dependent packages)

Total download size: 2.4 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): ipa-client-4.1.0-12.el7.x86_64.rpm                                       | 191 kB  00:00:03     
(2/4): ipa-admintools-4.1.0-12.el7.x86_64.rpm                                   |  60 kB  00:00:05     
(3/4): ipa-python-4.1.0-12.el7.x86_64.rpm                                       | 1.1 MB  00:00:24     
(4/4): ipa-server-4.1.0-12.el7.x86_64.rpm                                       | 1.1 MB  00:00:25     
-------------------------------------------------------------------------------------------------------
Total                                                                   82 kB/s | 2.4 MB  00:00:30     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : ipa-python-4.1.0-12.el7.x86_64                                                      1/8 
  Updating   : ipa-client-4.1.0-12.el7.x86_64                                                      2/8 
Could not load host key: /etc/ssh/ssh_host_dsa_key
  Updating   : ipa-admintools-4.1.0-12.el7.x86_64                                                  3/8 
  Updating   : ipa-server-4.1.0-12.el7.x86_64                                                      4/8 
  Cleanup    : ipa-server-4.1.0-10.el7.x86_64                                                      5/8 
  Cleanup    : ipa-admintools-4.1.0-10.el7.x86_64                                                  6/8 
  Cleanup    : ipa-client-4.1.0-10.el7.x86_64                                                      7/8 
  Cleanup    : ipa-python-4.1.0-10.el7.x86_64                                                      8/8 
beaker-rhel-7.1-beta-server/productid                                           | 1.6 kB  00:00:00     
  Verifying  : ipa-server-4.1.0-12.el7.x86_64                                                      1/8 
  Verifying  : ipa-python-4.1.0-12.el7.x86_64                                                      2/8 
  Verifying  : ipa-client-4.1.0-12.el7.x86_64                                                      3/8 
  Verifying  : ipa-admintools-4.1.0-12.el7.x86_64                                                  4/8 
  Verifying  : ipa-admintools-4.1.0-10.el7.x86_64                                                  5/8 
  Verifying  : ipa-server-4.1.0-10.el7.x86_64                                                      6/8 
  Verifying  : ipa-python-4.1.0-10.el7.x86_64                                                      7/8 
  Verifying  : ipa-client-4.1.0-10.el7.x86_64                                                      8/8 

Updated:
  ipa-server.x86_64 0:4.1.0-12.el7                                                                     

Dependency Updated:
  ipa-admintools.x86_64 0:4.1.0-12.el7                 ipa-client.x86_64 0:4.1.0-12.el7                
  ipa-python.x86_64 0:4.1.0-12.el7                    

Complete!

And see it work the second time:


[root@rhel7-3 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
Comment 9 errata-xmlrpc 2015-03-05 10:18:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.