Bug 1269089 - Certificate of managed-by host/service fails to resubmit
Certificate of managed-by host/service fails to resubmit
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.1
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-06 05:48 EDT by Jan Orel
Modified: 2016-12-22 03:26 EST (History)
8 users (show)

See Also:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1408120 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:38:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch: Remove hostname == CN check in cert_show (698 bytes, patch)
2015-10-08 10:08 EDT, Jan Orel
no flags Details | Diff

  None (edit)
Description Jan Orel 2015-10-06 05:48:23 EDT
Description of problem:
When trying to resubmit (or let the certmonger to resubmit before exp.) certificate of the host/service which is managed by the local host, it fails with ACI error.


Version-Release number of selected component (if applicable):
ipa-server-4.1.0


How reproducible:
Always


Steps to Reproduce:
1. ipa-server-install -r test.com -n novalocal -p passwd123 -a passwd123 --ip-address=172.30.41.25 --ssh-trust-dns --hostname testsrv.novalocal --setup-dns --no-host-dns --no-forwarders
2. kinit admin
3. ipa host-add testhost --force
4. ipa host-add-managedby testhost.novalocal --host=testsrv.novalocal
5. ipa-getcert request -k /etc/ssl/certs/testhost.novalocal.key -f /etc/ssl/certs/testhost.novalocal.cert -N testhost.novalocal -K host/testhost.novalocal
6. ipa-getcert list
   ...
   Request ID '20151005150737':
   ... 
   status MONITORING ...
7. ipa-getcert resubmit -i 20151005150737
8. ipa-getcert list -i 20151005150737


Actual results:
Request ID '20151005150737':
	status: MONITORING
	ca-error: Server at https://testsrv.novalocal/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: not allowed to perform this command)

Expected results:
no ca-error

Additional info:
Whey remove userCertificate attribute from the mentioned host (woks also when kinited to the identity of the host/testsrv.novalocal). The next ipa-getcert resubmit works well.
Comment 2 Jan Orel 2015-10-08 10:08 EDT
Created attachment 1081017 [details]
Patch: Remove hostname == CN check in cert_show

Removing check which does not work well in case that host is resubmitting
certificate of different host/service that he can manage.
Comment 3 Petr Vobornik 2015-10-13 06:18:48 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5363
Comment 4 Petr Vobornik 2015-10-14 08:36:37 EDT
Please note that if this issue is fixed upstream it will most likely be a part of IdM in RHEL 7.3. Please open a support case if you want it backported to RHEL 7.1 or 7.2.
Comment 5 Petr Vobornik 2016-05-06 10:58:38 EDT
According to https://fedorahosted.org/freeipa/ticket/5363#comment:4 it was fixed in 4.2 scope.
Comment 9 Sudhir Menon 2016-09-20 08:00:25 EDT
Verified on RHEL73 using 
ipa-server-4.4.0-12.el7.x86_64
389-ds-base-1.3.5.10-11.el7.x86_64
certmonger-0.78.4-3.el7.x86_64

[root@master sssd]# mkdir -p /tmp/testhost
[root@master sssd]# chcon -t cert_t /tmp/testhost/
 
[root@master sssd]# ipa-getcert request -k /tmp/testhost/testhost.key -f /tmp/testhost/testhost.cert -N testhost.test-relm.test -K host/testhost.test-relm.test@TEST-RELM.TEST
New signing request "20160920115306" added.
 
[root@master sssd]# ipa-getcert list -i 20160920115306
Number of certificates and requests being tracked: 9.
Request ID '20160920115306':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/testhost/testhost.key'
certificate: type=FILE,location='/tmp/testhost/testhost.cert'
CA: IPA
issuer: CN=Certificate Authority,O=TEST-RELM.TEST
subject: CN=testhost.test-relm.test,O=TEST-RELM.TEST
expires: 2018-09-21 11:53:08 UTC
principal name: host/testhost.test-relm.test@TEST-RELM.TEST
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
 
[root@master sssd]# ipa-getcert resubmit -i 20160920115306
Resubmitting "20160920115306" to "IPA".
[root@master sssd]# ipa-getcert list -i 20160920115306
Number of certificates and requests being tracked: 9.
Request ID '20160920115306':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/testhost/testhost.key'
certificate: type=FILE,location='/tmp/testhost/testhost.cert'
CA: IPA
issuer: CN=Certificate Authority,O=TEST-RELM.TEST
subject: CN=testhost.test-relm.test,O=TEST-RELM.TEST
expires: 2018-09-21 11:56:25 UTC
principal name: host/testhost.test-relm.test@TEST-RELM.TEST
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Comment 11 errata-xmlrpc 2016-11-04 01:38:33 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Comment 12 Thorsten Scherf 2016-12-21 11:21:25 EST
I need to re-open this because I can reproduce the issue with latest ipa-server on RHEL-6.8:

# rpm -q ipa-server
ipa-server-3.0.0-50.el6_8.3.x86_64

# ipa host-add rhtestwww.testrelm.test --ip-address 1.2.3.4
# ipa service-add HTTP/rhtestwww.testrelm.test@TESTRELM.TEST

# ipa host-add-managedby rhtestwww.testrelm.test --hosts `hostname`
# ipa service-add-host "HTTP/rhtestwww.testrelm.test@TESTRELM.TEST" --hosts `hostname` 

# mkdir /tmp/certs
# chcon -t cert_t /tmp/certs

# cd /tmp/certs
# ipa-getcert request -k $PWD/rhtestwww.testrelm.test.key -f $PWD/rhtestwww.testrelm.test.crt -K "HTTP/rhtestwww.testrelm.test@TESTRELM.TEST" -N "CN=rhtestwww.testrelm.test" -D "rhtestwww.testrelm.test"

# getcert list -i 20161221153757
Number of certificates and requests being tracked: 2.
Request ID '20161221153757':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.key'
	certificate: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=rhtestwww.testrelm.test,O=TESTRELM.TEST
	expires: 2018-12-22 15:37:58 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

# ipa-getcert resubmit -i 20161221153757
Resubmitting "20161221153757" to "IPA".

# getcert list -i 20161221153757
Number of certificates and requests being tracked: 2.
Request ID '20161221153757':
	status: MONITORING
	ca-error: Server at https://dell-m620-05.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: not allowed to perform this command).
	stuck: no
	key pair storage: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.key'
	certificate: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=rhtestwww.testrelm.test,O=TESTRELM.TEST
	expires: 2018-12-22 15:37:58 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

When I enable ACI logging, I see a number of deny entries:

# grep 11:09 /var/log/dirsrv/slapd-TESTRELM-TEST/errors|grep -i deny
[21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=24 op=6 (main): Deny read on entry(fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test).attr(krbPrincipalKey) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(54): aciname= "Password change service can read/write passwords", acidn="dc=testrelm,dc=test"
[21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny add on entry(krbprincipalname=http/rhtestwww.testrelm.test@testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(NULL) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(53): aciname= "Admins can write passwords", acidn="dc=testrelm,dc=test"
[21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny delete on entry(krbprincipalname=http/rhtestwww.testrelm.test@testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(NULL) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(53): aciname= "Admins can write passwords", acidn="dc=testrelm,dc=test"
[21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny write on entry(krbprincipalname=http/rhtestwww.testrelm.test@testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(krbprincipalname) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the resource
[...]
Comment 13 Thorsten Scherf 2016-12-21 13:22:35 EST
Just figured this BZ is for RHEL7. I will open a new BZ against RHEL6 and attach relevant data there.

Note You need to log in before you can comment on or make changes to this bug.