RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1251561 - ipa vault-add Unknown option: ipavaultpublickey
Summary: ipa vault-add Unknown option: ipavaultpublickey
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
: 1253455 1253498 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-07 17:27 UTC by Scott Poore
Modified: 2015-11-19 12:05 UTC (History)
5 users (show)

Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 12:05:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Scott Poore 2015-08-07 17:27:39 UTC 
Description of problem:

Trying to add a vault with --public-key returns an error:

[root@master ~]# I=$(( I += 1 )) ; ipa vault-add myvault$I --public-key="$PUBKEYBLOB"
ipa: ERROR: Unknown option: ipavaultpublickey


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64

How reproducible:
always


Steps to Reproduce:
1.  Install IPA Server
ipa-server-install

2.  Install KRA 
ipa-kra-install

3. Add vault with private key blob (not key file):
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -out public.pem -pubout
PUBKEYBLOB=$(cat public.pem |grep -v '^-----'|tr -d '\n\r')
ipa vault-add myvault --public-key="$PUBKEYBLOB"


Actual results:
ipa: ERROR: Unknown option: ipavaultpublickey

Expected results:
add vault with key blob

Additional info:
Comment 2 Petr Vobornik 2015-08-10 21:14:57 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5195
Comment 3 Tomas Babej 2015-08-12 14:31:33 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7d7ffb62526595433412633c05af5af7909124c8
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/dc0d4f73200065c209eb007a3be3ebd3d3b6dd64
Comment 5 Scott Poore 2015-08-13 16:43:05 UTC 
FYI, I'm also seeing this:

[root@master ~]# ipa vault-add vname --type asymmetric --public-key="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm2Ld6QaroYiTZtclece+iLzjDQh/D01CFWfJK1c3A8gftC+OVyDk1Rrffm3xkj4OOxWCfKgBr3KLX5OXbxaTJ8yBeX/5L/Euky3evbhbD5yETOyepfIEi8AIesQfmaUwfEwQlzBoDJcthLHPRhc5pFNJAq9rSVI2x2k3oORIC+3kvqm4NKaq8tvIjeuMDeHryJlG9o02CQOMUNnpzkr5uUskiId91r7ra+lxzXHthLM32IgUkXwWs1grrA0nVFkFPIJ8655JlKYTW11NfHeUrV9ITvxYI9DcYAF/ZcWvSF8TUisu0oOoxjXRIP4L3slEGSC37nNs0Swb/xl1zVgOrwIDAQAB"
ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 129, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 674, in forward
    self.api.Command.vault_archive(*args, **opts)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1109, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 999, in forward
    public_key = vault['ipavaultpublickey'][0].encode('utf-8')
UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
ipa: ERROR: an internal error has occurred


From /var/log/httpd/error_log:

[Thu Aug 13 11:40:43.336940 2015] [:error] [pid 16042] ipa: INFO: [jsonserver_session] admin: vault_add_internal(u'vname', ipavaulttype=u'asymmetric', ipavaultpublickey='0\\x82\\x01"0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x82\\x01\\x0f\\x000\\x82\\x01\\n\\x02\\x82\\x01\\x01\\x00\\x9bb\\xdd\\xe9\\x06\\xab\\xa1\\x88\\x93f\\xd7%y\\xc7\\xbe\\x88\\xbc\\xe3\\r\\x08\\x7f\\x0fMB\\x15g\\xc9+W7\\x03\\xc8\\x1f\\xb4/\\x8eW \\xe4\\xd5\\x1a\\xdf~m\\xf1\\x92>\\x0e;\\x15\\x82|\\xa8\\x01\\xafr\\x8b_\\x93\\x97o\\x16\\x93\\'\\xcc\\x81y\\x7f\\xf9/\\xf1.\\x93-\\xde\\xbd\\xb8[\\x0f\\x9c\\x84L\\xec\\x9e\\xa5\\xf2\\x04\\x8b\\xc0\\x08z\\xc4\\x1f\\x99\\xa50|L\\x10\\x970h\\x0c\\x97-\\x84\\xb1\\xcfF\\x179\\xa4SI\\x02\\xafkIR6\\xc7i7\\xa0\\xe4H\\x0b\\xed\\xe4\\xbe\\xa9\\xb84\\xa6\\xaa\\xf2\\xdb\\xc8\\x8d\\xeb\\x8c\\r\\xe1\\xeb\\xc8\\x99F\\xf6\\x8d6\\t\\x03\\x8cP\\xd9\\xe9\\xceJ\\xf9\\xb9K$\\x88\\x87}\\xd6\\xbe\\xebk\\xe9q\\xcdq\\xed\\x84\\xb37\\xd8\\x88\\x14\\x91|\\x16\\xb3X+\\xac\\r\\'TY\\x05<\\x82|\\xeb\\x9eI\\x94\\xa6\\x13[]M|w\\x94\\xad_HN\\xfcX#\\xd0\\xdc`\\x01\\x7fe\\xc5\\xafH_\\x13R+.\\xd2\\x83\\xa8\\xc65\\xd1 \\xfe\\x0b\\xde\\xc9D\\x19 \\xb7\\xeesl\\xd1,\\x1b\\xff\\x19u\\xcdX\\x0e\\xaf\\x02\\x03\\x01\\x00\\x01', shared=False, all=False, raw=False, version=u'2.148', no_members=False): SUCCESS


And this is the version of IPA:

ipa-server-4.2.0-4.el7.x86_64
Comment 6 Scott Poore 2015-08-13 21:06:29 UTC 
FYI:

[root@master ~]# ipa vault-add --type=symmetric vname_symmetric --public-key="$(cat public.pem |grep -v -- "----"|tr -d '[\n\r]')"
New password: 
Verify password: 
ipa: ERROR: Unknown option: ipavaultpublickey
Comment 7 Petr Vobornik 2015-08-14 08:01:01 UTC 
The issue in comment 5 is bug 1251561. 

Comment 6 will be also fixed with patch in comment 3.
Comment 8 Petr Vobornik 2015-08-14 08:03:32 UTC 
Sorry, in comment 7 I meant bug 1245225
Comment 9 Petr Vobornik 2015-08-14 08:07:21 UTC 
*** Bug 1253498 has been marked as a duplicate of this bug. ***
Comment 10 Petr Vobornik 2015-08-14 08:14:41 UTC 
Note that the fix validates that:
- options password and password-file can be used only with symmetric vault
- options public-key and public-key-file can be used only with asymmetric vault

I.e. the the "unknown option" error appeared because the usage was not correct. Therefore expected result from comment one is:

"validation error is displayed".
Comment 12 Scott Poore 2015-08-20 22:36:13 UTC 
Verified

Version :;

ipa-server-4.2.0-5.el7.x86_64

Results ::

[root@rhel7-8 yum.repos.d]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/7]: configuring KRA instance
  [2/7]: add RA user to KRA agent group
  [3/7]: restarting KRA
  [4/7]: configure certmonger for renewals
  [5/7]: configure certificate renewals
  [6/7]: configure HTTP to proxy connections
  [7/7]: add vault container
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful
[root@rhel7-8 yum.repos.d]# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
...........+++
................................+++
e is 65537 (0x10001)
[root@rhel7-8 yum.repos.d]# openssl rsa -in private.pem -out public.pem -pubout
writing RSA key
[root@rhel7-8 yum.repos.d]# PUBKEYBLOB=$(cat public.pem |base64)
[root@rhel7-8 yum.repos.d]# ipa vault-add myvault --type=asymmetric --public-key="$PUBKEYBLOB"
---------------------
Added vault "myvault"
---------------------
  Vault name: myvault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyUmx6ZHpMdTFpeEUzQ2dGUGFnYQpnUGxZby9Vc3c0OE1ZbCtwR2hNTm9OOWUrRE4yTFVhd2NMY294R283NmU2TVYxc3ZFWStydDZpck84ZWFVTXpwCmdzNHpqd1RkdFBkTEZxaHR4Wm1wTjVrRDBqWnpNTlVpQVdMV1UwSE5FendvK2lEczI1NHgvUGlxd3J5ZlhGNVIKbEZIQ3MvNHB3eHNXUzNNU0h2emU0T050bDl5eU1vWS83VzNvZnZwNmtVUloxSzk5MzZobFprci8yZ090WVdiZwpJbm4vZ2tXQVRJNXliVnovRVk5dFBEaFFURThXMkpxZHB6TkVmOFpUeExVM3N4NjJKeHM5YWVpdUp6OGh5Q25oCm9meWEzdmhZVGQ1ZCtkRlM5UGxvcmdSZzNqcVRLRUl1Z29GSTZYeXN5a2NuVGRubHVqeEh3d01nd3VsWVVreFgKOVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Vault user: admin

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --public-key="$PUBKEYBLOB"
ipa: ERROR: Public key can be specified only for asymmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=symmetric --public-key="$PUBKEYBLOB"
ipa: ERROR: Public key can be specified only for asymmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=standard --public-key="$PUBKEYBLOB"
ipa: ERROR: Public key can be specified only for asymmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=asymmetric --password="test"
ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# echo test > /tmp/password_file

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --type=asymmetric --password-file=/tmp/password_file 
ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --password-file=/tmp/password_file ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add myvault1 --password=passworde 
ipa: ERROR: Password can be specified only for symmetric vault

[root@rhel7-8 yum.repos.d]# ipa vault-add vname --type asymmetric --public-key="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArRlzdzLu1ixE3CgFPagagPlYo/Usw48MYl+pGhMNoN9e+DN2LUawcLcoxGo76e6MV1svEY+rt6irO8eaUMzpgs4zjwTdtPdLFqhtxZmpN5kD0jZzMNUiAWLWU0HNEzwo+iDs254x/PiqwryfXF5RlFHCs/4pwxsWS3MSHvze4ONtl9yyMoY/7W3ofvp6kURZ1K9936hlZkr/2gOtYWbgInn/gkWATI5ybVz/EY9tPDhQTE8W2JqdpzNEf8ZTxLU3sx62Jxs9aeiuJz8hyCnhofya3vhYTd5d+dFS9PlorgRg3jqTKEIugoFI6XysykcnTdnlujxHwwMgwulYUkxX9QIDAQAB"
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data.
Comment 13 Petr Vobornik 2015-09-01 14:06:04 UTC 
*** Bug 1253455 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2015-11-19 12:05:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Note You need to log in before you can comment on or make changes to this bug.