Bug 1283324 - manual renew self-signed CA cert to external CA cert fails
manual renew self-signed CA cert to external CA cert fails
Status: CLOSED DUPLICATE of bug 1284811
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-18 12:32 EST by Xiyang Dong
Modified: 2015-11-24 11:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-24 11:57:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xiyang Dong 2015-11-18 12:32:01 EST
Description of problem:
manual renew self-signed CA cert to external CA cert fails with no context.ldap2 in thread 'MainThread'

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15
pki-ca-10.2.5-6

How reproducible:
Always

Steps to Reproduce:
1.install ipa with self-signed ca cert
2.manual renew ca with option to change to external ca

Actual results:
renew fails

Expected results:
renew succeeds

Additional info:
[root@qe-blade-01 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful
[root@qe-blade-01 ~]# mkdir /root/RootCA1
[root@qe-blade-01 ~]# cd /root/RootCA1
[root@qe-blade-01 RootCA1]# rm  -f *
[root@qe-blade-01 RootCA1]# echo Secret123 > mypass1
[root@qe-blade-01 RootCA1]# certutil -N -d . -f mypass1
[root@qe-blade-01 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -S -d . \
>     -n RootCA1 \
>     -s "CN=MyRootCA1, O=fakerealm1" \
>     -x \
>     -t "CTu,CTu,CTu" \
>     -g 2048 \
>     -m $RANDOM\
>     -v 60 \
>     -z /etc/group \
>     -2 \
>     --keyUsage certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -f mypass1


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Notice: Trust flag u is set automatically if the private key is present.
[root@qe-blade-01 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA1 \
>     -m $RANDOM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i /var/lib/ipa/ca.csr \
>     -o /root/ca.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
[root@qe-blade-01 RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc
[root@qe-blade-01 RootCA1]# cd  /root
[root@qe-blade-01 ~]# getcert list -n 'caSigningCert cert-pki-ca'| grep expires
	expires: 2035-11-18 15:15:35 UTC
[root@qe-blade-01 ~]# ipa-cacert-manage renew \
>     --external-cert-file=/root/ca.crt \
>     --external-cert-file=/root/RootCA1_chain.asc
Directory Manager password: 

Importing the renewed CA certificate, please wait
no context.ldap2_62808656 in thread 'MainThread'
[root@qe-blade-01 ~]# getcert list -n 'caSigningCert cert-pki-ca'| grep expires
	expires: 2035-11-18 15:15:35 UTC
Comment 2 Xiyang Dong 2015-11-24 11:57:17 EST

*** This bug has been marked as a duplicate of bug 1284811 ***

Note You need to log in before you can comment on or make changes to this bug.