Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1257074

Summary: The KRA agent cert is stored in a PEM file that is not tracked
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: jcholast, ksiddiqu, mkosek, pvoborni, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-9.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:06:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2015-08-26 08:42:58 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5253

The framework needs to use the KRA Agent cert by using a copy stored in a PEM file.
This copy is not trakced by certmonger so once expired the framework's KRA commands will break.

The KRa agent should be stored only in one file and tracked by certmonger.
Comment 2 Jan Cholasta 2015-08-27 13:54:13 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/43ee695195c2024c2875663f7bc1d9c3c291865d
https://fedorahosted.org/freeipa/changeset/e9a76c3d126367f72e353919ecbff45bed3abaaf
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/a3310c3b512c7812b6f658c5bff828d3c8329e48
https://fedorahosted.org/freeipa/changeset/cea66362621f6ab6219a689c2da4025c37f496bb
Comment 3 Scott Poore 2015-09-04 00:02:08 UTC 
Should this one be ON_QA already?  

Looks like certmonger is tracking these:

[root@master pki]# getcert list|grep KRA
	subject: CN=KRA Audit,O=TESTRELM.TEST
	subject: CN=KRA Transport Certificate,O=TESTRELM.TEST
	subject: CN=KRA Storage Certificate,O=TESTRELM.TEST


This is all that is needed to cover this right?
Comment 4 Jan Cholasta 2015-09-07 05:58:12 UTC 
No, the fix makes /etc/httpd/alias/kra-agent.pem to be updated after ipaCert in /etc/httpd/alias is renewed.
Comment 6 Scott Poore 2015-09-10 01:35:26 UTC 
Honza,

How do I test this?

Is cycling the time forward the only way?

Thanks,
Scott
Comment 7 Jan Cholasta 2015-09-10 05:24:01 UTC 
1. manually request renewal of the CA/KRA agent cert by running "getcert resubmit -d /etc/httpd/alias -n ipaCert"

2. wait until certmonger is done with the renewal (the certmonger requst must be in MONITORING state, you can check it by running "getcert list -d /etc/httpd/alias -n ipaCert")

3.1. check that the certificate in /etc/httpd/alias/kra-agent.pem is the same as the certificate returned by "certutil -d /etc/httpd/alias -L -n ipaCert -a"

3.2. check that vault_archive/vault_retrieve IPA commands still work after the renewal
Comment 8 Scott Poore 2015-09-15 16:11:11 UTC 
Verified.

Version ::

ipa-server-4.2.0-9.el7.x86_64

Results ::

[root@master ~]# getcert list -d /etc/httpd/alias/ -n ipaCert
Number of certificates and requests being tracked: 11.
Request ID '20150910212808':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-08-30 21:28:02 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes

[root@master ~]# getcert resubmit -d /etc/httpd/alias -n ipaCert
Resubmitting "20150910212808" to "dogtag-ipa-ca-renew-agent".

[root@master ~]# sleep 120; (getcert list -d /etc/httpd/alias -n ipaCert | egrep "status|expires")
	status: MONITORING
	expires: 2017-09-04 15:52:38 UTC

[root@master ~]# certutil -d /etc/httpd/alias -L -n ipaCert -a | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' | tr -d '\r' > /tmp/ipaCert.crt

[root@master ~]# sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' /etc/httpd/alias/kra-agent.pem > /tmp/kra1.crt

[root@master ~]# diff /tmp/ipaCert.crt /tmp/kra1.crt

[root@master ~]#
Comment 9 Scott Poore 2015-09-15 16:27:29 UTC 
Forgot to cover vault-archive/retrieve functionality:

[root@master ~]# kinit admin
Password for admin: 
[root@master ~]# ipa vault-add vrenewed --password=1234
----------------------
Added vault "vrenewed"
----------------------
  Vault name: vrenewed
  Type: symmetric
  Salt: OV1hHWAOUPJggZneEuqfkg==
  Owner users: admin
  Vault user: admin
[root@master ~]# ipa vault-archive vrenewed --password=1234 --data=$(echo Secret123|base64)
-----------------------------------
Archived data into vault "vrenewed"
-----------------------------------
[root@master ~]# ipa vault-retrieve vrenewed --password=1234 --out=/tmp/vrenewed.out
------------------------------------
Retrieved data from vault "vrenewed"
------------------------------------
[root@master ~]# cat /tmp/vrenewed.out
Secret123
[root@master ~]#
Comment 10 errata-xmlrpc 2015-11-19 12:06:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html