1283429 – Default CA ACL rule is not created during ipa-replica-install

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1283429 - Default CA ACL rule is not created during ipa-replica-install

Summary: Default CA ACL rule is not created during ipa-replica-install

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Fraser Tweedale
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1284803
TreeView+	depends on / blocked

Reported:	2015-11-18 23:16 UTC by Petr Vobornik
Modified:	2019-10-10 10:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.2.0-16.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1284803 (view as bug list)
Environment:
Last Closed:	2016-11-04 05:40:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Petr Vobornik 2015-11-18 23:16:19 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5459

When FreeIPA 4.2+ replica is being created out of older server (FreeIPA on RHEL-6 in the reported case), the default CA ACL rule is not being created as there is a worry that administrator deliberately deleted it and it would be added again during replica installation.

This however means, that services and hosts cannot request certificates after such upgrade via migration.

I expect majority of admins will be happy with the default rule as is, especially after migration from RHEL-6 to FreeIPA 4.2+. If admins really do not want it and click "delete", they should get error message like "This rule is managed by FreeIPA and cannot be deleted. Please disable it to make it ineffective".

That should give better migration experience while at the same time allowing admins disable the rule in rare cases.

Comment 4 Jan Cholasta 2015-11-23 09:56:47 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5269

Comment 5 Jan Cholasta 2015-11-23 15:44:43 UTC

Ticket 5269 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2be8d2d068557631813607d84bb03c91fbeaaf80
https://fedorahosted.org/freeipa/changeset/5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/1874ccf13fdcafca0a35f58b058756018851b13e
https://fedorahosted.org/freeipa/changeset/a8a666416201a7a7d6739f60854c5e5223b9ceb5

Comment 6 Jan Cholasta 2015-11-24 09:12:58 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6fe0a898077a74924b6ccaf6dfbaf2d166175722
https://fedorahosted.org/freeipa/changeset/620036d26e98fdcefff00168e9e5463a8257d49c
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/3cb79337d971653b90bbc99e433e4b3d3ac37579
https://fedorahosted.org/freeipa/changeset/a2371f38e4fb027aeacaf0ab6f2b35ae49fa41ea

Comment 8 Tomas Babej 2015-11-24 14:48:31 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/341406d16540b1edc0d2792fe2cd9db75590f88e
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/0f39612730448993190b07708ad4c4956b214a81

Comment 9 Jan Cholasta 2015-11-24 16:38:13 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ed830af693c596b286b30959eb3166b59cc030c6
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/c5faaede276f3052517ddf86e64cb228e95dca2a

Comment 13 Abhijeet Kasurde 2016-08-09 12:31:02 UTC

Verified. 
CA ACL now added on migrated replica and getcert / cert-request are successful.

Verified using IPA version ::

ipa-server-4.4.0-5.el7.x86_64

Steps ::


[root@ipamasterbz1283429 /]# date
Tue Aug  9 12:25:38 IST 2016
[root@ipamasterbz1283429 /]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-5.el7.x86_64
pki-ca-10.3.3-3.el7.noarch
[root@ipamasterbz1283429 /]# mkdir /tmp/test1
[root@ipamasterbz1283429 /]# ipa-getcert request -k /tmp/test1/test1.key -f /tmp/test1/test1.crt -I testing1
New signing request "testing1" added.
[root@ipamasterbz1283429 /]# ipa-getcert list -i testing1 
Number of certificates and requests being tracked: 9.
Request ID 'testing1':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/tmp/test1/test1.key'
	certificate: type=FILE,location='/tmp/test1/test1.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST
	expires: 2018-08-10 06:56:10 UTC
	dns: ipamasterbz1283429.testrelm.test
	principal name: host/ipamasterbz1283429.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
[root@ipamasterbz1283429 /]# echo Secret123 | kinit admin 
Password for admin: 
[root@ipamasterbz1283429 /]# ipa caacl-find
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
----------------------------
Number of entries returned 1
----------------------------
[root@ipamasterbz1283429 /]# mkdir /tmp/cert-request-test/
[root@ipamasterbz1283429 /]# openssl req -out /tmp/cert-request-test/request1.csr -new -newkey rsa:1024 -nodes -keyout /tmp/cert-request-test/request1.prv
Generating a 1024 bit RSA private key
...++++++
..............++++++
writing new private key to '/tmp/cert-request-test/request1.prv'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:ipamasterbz1283429.testrelm.test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ipamasterbz1283429 /]# ipa cert-request --principal=HTTP/`hostname` /tmp/cert-request-test/request1.csr 
  Certificate: MIIDojCCAoqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwODA5MDY1NzUyWhcNMTgwODEwMDY1NzUyWjBDMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSkwJwYDVQQDDCBpcGFtYXN0ZXJiejEyODM0MjkudGVzdHJlbG0udGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA33FLFQEWkzd5VF5eF8sZdOGpM+6sRNBQ8cHDOQsihs9GM7DxDnmYZA2JbU3jQVFpeQGvdATIOc4GKJ9darXMyQ60+UUGTRHPVNRHUsNIdUtj11kjy57xDsY+QplsKPjbfYh3VX2v4cUFxPg6mZT9H9Gt99kSmOpAeKorvpEq1tcCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFNfbGZJDtZ9iMt47CtUPSkTiyGWMMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYSscmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTrNw6nCnqrPk1HpE7OmVSsi/lVZDANBgkqhkiG9w0BAQsFAAOCAQEAlmFls7ZUuX5kSmj/gWH6yIIZEy7iyZmD5bIpwCouHixAUN6V7CuiB+8RynsjnGxJAsQexwcd8QF8iyoXWrF4OPfR11Pv7eevHlq6vsa0LxyJpEJdWpqBH0+Ltq3gFladsF2ZBwGy+ayfVxLqE9E8MBoyxVZkALxqYOYD9nwBe5UoVcYk841fn11BBkKUUWtT3YlAj4hLVgn+2xObDuo5uVZ4FkQDL5vNy9IgsLwFdLguy6nhWeoptyBfcwgD9QoVpV4FKF3H6aGtX0a79SZzxX6XTp5+fexBb+NlFnbgnSQQ1Xw1QRAc58eLQavN2gFaS3FKR8DmJ1JMPKVoAhwOJg==
  Subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 09 06:57:52 2016 UTC
  Not After: Fri Aug 10 06:57:52 2018 UTC
  Fingerprint (MD5): 28:d2:19:c5:75:51:ec:2c:3d:d5:e8:f6:65:ca:d6:10
  Fingerprint (SHA1): ec:19:a2:ac:a1:db:0b:6e:86:52:f8:93:09:96:01:3e:7f:1f:45:79
  Serial number: 12
  Serial number (hex): 0xC


Marking BZ as verified.

Comment 15 errata-xmlrpc 2016-11-04 05:40:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.