Red Hat Bugzilla – Bug 1283429
Default CA ACL rule is not created during ipa-replica-install
Last modified: 2016-11-04 01:40:31 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/5459 When FreeIPA 4.2+ replica is being created out of older server (FreeIPA on RHEL-6 in the reported case), the default CA ACL rule is not being created as there is a worry that administrator deliberately deleted it and it would be added again during replica installation. This however means, that services and hosts cannot request certificates after such upgrade via migration. I expect majority of admins will be happy with the default rule as is, especially after migration from RHEL-6 to FreeIPA 4.2+. If admins really do not want it and click "delete", they should get error message like "This rule is managed by FreeIPA and cannot be deleted. Please disable it to make it ineffective". That should give better migration experience while at the same time allowing admins disable the rule in rare cases.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5269
Ticket 5269 fixed upstream master: https://fedorahosted.org/freeipa/changeset/2be8d2d068557631813607d84bb03c91fbeaaf80 https://fedorahosted.org/freeipa/changeset/5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad ipa-4-2: https://fedorahosted.org/freeipa/changeset/1874ccf13fdcafca0a35f58b058756018851b13e https://fedorahosted.org/freeipa/changeset/a8a666416201a7a7d6739f60854c5e5223b9ceb5
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6fe0a898077a74924b6ccaf6dfbaf2d166175722 https://fedorahosted.org/freeipa/changeset/620036d26e98fdcefff00168e9e5463a8257d49c ipa-4-2: https://fedorahosted.org/freeipa/changeset/3cb79337d971653b90bbc99e433e4b3d3ac37579 https://fedorahosted.org/freeipa/changeset/a2371f38e4fb027aeacaf0ab6f2b35ae49fa41ea
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/341406d16540b1edc0d2792fe2cd9db75590f88e ipa-4-2: https://fedorahosted.org/freeipa/changeset/0f39612730448993190b07708ad4c4956b214a81
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ed830af693c596b286b30959eb3166b59cc030c6 ipa-4-2: https://fedorahosted.org/freeipa/changeset/c5faaede276f3052517ddf86e64cb228e95dca2a
Verified. CA ACL now added on migrated replica and getcert / cert-request are successful. Verified using IPA version :: ipa-server-4.4.0-5.el7.x86_64 Steps :: [root@ipamasterbz1283429 /]# date Tue Aug 9 12:25:38 IST 2016 [root@ipamasterbz1283429 /]# rpm -q ipa-server pki-ca ipa-server-4.4.0-5.el7.x86_64 pki-ca-10.3.3-3.el7.noarch [root@ipamasterbz1283429 /]# mkdir /tmp/test1 [root@ipamasterbz1283429 /]# ipa-getcert request -k /tmp/test1/test1.key -f /tmp/test1/test1.crt -I testing1 New signing request "testing1" added. [root@ipamasterbz1283429 /]# ipa-getcert list -i testing1 Number of certificates and requests being tracked: 9. Request ID 'testing1': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/test1/test1.key' certificate: type=FILE,location='/tmp/test1/test1.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST expires: 2018-08-10 06:56:10 UTC dns: ipamasterbz1283429.testrelm.test principal name: host/ipamasterbz1283429.testrelm.test@TESTRELM.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@ipamasterbz1283429 /]# echo Secret123 | kinit admin Password for admin@TESTRELM.TEST: [root@ipamasterbz1283429 /]# ipa caacl-find ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all ---------------------------- Number of entries returned 1 ---------------------------- [root@ipamasterbz1283429 /]# mkdir /tmp/cert-request-test/ [root@ipamasterbz1283429 /]# openssl req -out /tmp/cert-request-test/request1.csr -new -newkey rsa:1024 -nodes -keyout /tmp/cert-request-test/request1.prv Generating a 1024 bit RSA private key ...++++++ ..............++++++ writing new private key to '/tmp/cert-request-test/request1.prv' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PUNE Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:ipamasterbz1283429.testrelm.test Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@ipamasterbz1283429 /]# ipa cert-request --principal=HTTP/`hostname` /tmp/cert-request-test/request1.csr Certificate: MIIDojCCAoqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwODA5MDY1NzUyWhcNMTgwODEwMDY1NzUyWjBDMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSkwJwYDVQQDDCBpcGFtYXN0ZXJiejEyODM0MjkudGVzdHJlbG0udGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA33FLFQEWkzd5VF5eF8sZdOGpM+6sRNBQ8cHDOQsihs9GM7DxDnmYZA2JbU3jQVFpeQGvdATIOc4GKJ9darXMyQ60+UUGTRHPVNRHUsNIdUtj11kjy57xDsY+QplsKPjbfYh3VX2v4cUFxPg6mZT9H9Gt99kSmOpAeKorvpEq1tcCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFNfbGZJDtZ9iMt47CtUPSkTiyGWMMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYSscmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTrNw6nCnqrPk1HpE7OmVSsi/lVZDANBgkqhkiG9w0BAQsFAAOCAQEAlmFls7ZUuX5kSmj/gWH6yIIZEy7iyZmD5bIpwCouHixAUN6V7CuiB+8RynsjnGxJAsQexwcd8QF8iyoXWrF4OPfR11Pv7eevHlq6vsa0LxyJpEJdWpqBH0+Ltq3gFladsF2ZBwGy+ayfVxLqE9E8MBoyxVZkALxqYOYD9nwBe5UoVcYk841fn11BBkKUUWtT3YlAj4hLVgn+2xObDuo5uVZ4FkQDL5vNy9IgsLwFdLguy6nhWeoptyBfcwgD9QoVpV4FKF3H6aGtX0a79SZzxX6XTp5+fexBb+NlFnbgnSQQ1Xw1QRAc58eLQavN2gFaS3FKR8DmJ1JMPKVoAhwOJg== Subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Tue Aug 09 06:57:52 2016 UTC Not After: Fri Aug 10 06:57:52 2018 UTC Fingerprint (MD5): 28:d2:19:c5:75:51:ec:2c:3d:d5:e8:f6:65:ca:d6:10 Fingerprint (SHA1): ec:19:a2:ac:a1:db:0b:6e:86:52:f8:93:09:96:01:3e:7f:1f:45:79 Serial number: 12 Serial number (hex): 0xC Marking BZ as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html