Description of problem: When trying to resubmit (or let the certmonger to resubmit before exp.) certificate of the host/service which is managed by the local host, it fails with ACI error. Version-Release number of selected component (if applicable): ipa-server-4.1.0 How reproducible: Always Steps to Reproduce: 1. ipa-server-install -r test.com -n novalocal -p passwd123 -a passwd123 --ip-address=172.30.41.25 --ssh-trust-dns --hostname testsrv.novalocal --setup-dns --no-host-dns --no-forwarders 2. kinit admin 3. ipa host-add testhost --force 4. ipa host-add-managedby testhost.novalocal --host=testsrv.novalocal 5. ipa-getcert request -k /etc/ssl/certs/testhost.novalocal.key -f /etc/ssl/certs/testhost.novalocal.cert -N testhost.novalocal -K host/testhost.novalocal 6. ipa-getcert list ... Request ID '20151005150737': ... status MONITORING ... 7. ipa-getcert resubmit -i 20151005150737 8. ipa-getcert list -i 20151005150737 Actual results: Request ID '20151005150737': status: MONITORING ca-error: Server at https://testsrv.novalocal/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command) Expected results: no ca-error Additional info: Whey remove userCertificate attribute from the mentioned host (woks also when kinited to the identity of the host/testsrv.novalocal). The next ipa-getcert resubmit works well.
Created attachment 1081017 [details] Patch: Remove hostname == CN check in cert_show Removing check which does not work well in case that host is resubmitting certificate of different host/service that he can manage.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5363
Please note that if this issue is fixed upstream it will most likely be a part of IdM in RHEL 7.3. Please open a support case if you want it backported to RHEL 7.1 or 7.2.
According to https://fedorahosted.org/freeipa/ticket/5363#comment:4 it was fixed in 4.2 scope.
Verified on RHEL73 using ipa-server-4.4.0-12.el7.x86_64 389-ds-base-1.3.5.10-11.el7.x86_64 certmonger-0.78.4-3.el7.x86_64 [root@master sssd]# mkdir -p /tmp/testhost [root@master sssd]# chcon -t cert_t /tmp/testhost/ [root@master sssd]# ipa-getcert request -k /tmp/testhost/testhost.key -f /tmp/testhost/testhost.cert -N testhost.test-relm.test -K host/testhost.test-relm.test New signing request "20160920115306" added. [root@master sssd]# ipa-getcert list -i 20160920115306 Number of certificates and requests being tracked: 9. Request ID '20160920115306': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/testhost/testhost.key' certificate: type=FILE,location='/tmp/testhost/testhost.cert' CA: IPA issuer: CN=Certificate Authority,O=TEST-RELM.TEST subject: CN=testhost.test-relm.test,O=TEST-RELM.TEST expires: 2018-09-21 11:53:08 UTC principal name: host/testhost.test-relm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@master sssd]# ipa-getcert resubmit -i 20160920115306 Resubmitting "20160920115306" to "IPA". [root@master sssd]# ipa-getcert list -i 20160920115306 Number of certificates and requests being tracked: 9. Request ID '20160920115306': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/testhost/testhost.key' certificate: type=FILE,location='/tmp/testhost/testhost.cert' CA: IPA issuer: CN=Certificate Authority,O=TEST-RELM.TEST subject: CN=testhost.test-relm.test,O=TEST-RELM.TEST expires: 2018-09-21 11:56:25 UTC principal name: host/testhost.test-relm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html
I need to re-open this because I can reproduce the issue with latest ipa-server on RHEL-6.8: # rpm -q ipa-server ipa-server-3.0.0-50.el6_8.3.x86_64 # ipa host-add rhtestwww.testrelm.test --ip-address 1.2.3.4 # ipa service-add HTTP/rhtestwww.testrelm.test # ipa host-add-managedby rhtestwww.testrelm.test --hosts `hostname` # ipa service-add-host "HTTP/rhtestwww.testrelm.test" --hosts `hostname` # mkdir /tmp/certs # chcon -t cert_t /tmp/certs # cd /tmp/certs # ipa-getcert request -k $PWD/rhtestwww.testrelm.test.key -f $PWD/rhtestwww.testrelm.test.crt -K "HTTP/rhtestwww.testrelm.test" -N "CN=rhtestwww.testrelm.test" -D "rhtestwww.testrelm.test" # getcert list -i 20161221153757 Number of certificates and requests being tracked: 2. Request ID '20161221153757': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.key' certificate: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=rhtestwww.testrelm.test,O=TESTRELM.TEST expires: 2018-12-22 15:37:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes # ipa-getcert resubmit -i 20161221153757 Resubmitting "20161221153757" to "IPA". # getcert list -i 20161221153757 Number of certificates and requests being tracked: 2. Request ID '20161221153757': status: MONITORING ca-error: Server at https://dell-m620-05.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: no key pair storage: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.key' certificate: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=rhtestwww.testrelm.test,O=TESTRELM.TEST expires: 2018-12-22 15:37:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes When I enable ACI logging, I see a number of deny entries: # grep 11:09 /var/log/dirsrv/slapd-TESTRELM-TEST/errors|grep -i deny [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=24 op=6 (main): Deny read on entry(fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test).attr(krbPrincipalKey) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(54): aciname= "Password change service can read/write passwords", acidn="dc=testrelm,dc=test" [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny add on entry(krbprincipalname=http/rhtestwww.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(NULL) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(53): aciname= "Admins can write passwords", acidn="dc=testrelm,dc=test" [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny delete on entry(krbprincipalname=http/rhtestwww.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(NULL) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(53): aciname= "Admins can write passwords", acidn="dc=testrelm,dc=test" [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny write on entry(krbprincipalname=http/rhtestwww.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(krbprincipalname) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the resource [...]
Just figured this BZ is for RHEL7. I will open a new BZ against RHEL6 and attach relevant data there.