Bug 1283429 - Default CA ACL rule is not created during ipa-replica-install
Default CA ACL rule is not created during ipa-replica-install
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Fraser Tweedale
Namita Soman
: ZStream
Depends On:
Blocks: 1284803
  Show dependency treegraph
Reported: 2015-11-18 18:16 EST by Petr Vobornik
Modified: 2016-11-04 01:40 EDT (History)
7 users (show)

See Also:
Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1284803 (view as bug list)
Last Closed: 2016-11-04 01:40:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-11-18 18:16:19 EST
This bug is created as a clone of upstream ticket:

When FreeIPA 4.2+ replica is being created out of older server (FreeIPA on RHEL-6 in the reported case), the default CA ACL rule is not being created as there is a worry that administrator deliberately deleted it and it would be added again during replica installation.

This however means, that services and hosts cannot request certificates after such upgrade via migration.

I expect majority of admins will be happy with the default rule as is, especially after migration from RHEL-6 to FreeIPA 4.2+. If admins really do not want it and click "delete", they should get error message like "This rule is managed by FreeIPA and cannot be deleted. Please disable it to make it ineffective".

That should give better migration experience while at the same time allowing admins disable the rule in rare cases.
Comment 4 Jan Cholasta 2015-11-23 04:56:47 EST
Upstream ticket:
Comment 13 Abhijeet Kasurde 2016-08-09 08:31:02 EDT
CA ACL now added on migrated replica and getcert / cert-request are successful.

Verified using IPA version ::


Steps ::

[root@ipamasterbz1283429 /]# date
Tue Aug  9 12:25:38 IST 2016
[root@ipamasterbz1283429 /]# rpm -q ipa-server pki-ca
[root@ipamasterbz1283429 /]# mkdir /tmp/test1
[root@ipamasterbz1283429 /]# ipa-getcert request -k /tmp/test1/test1.key -f /tmp/test1/test1.crt -I testing1
New signing request "testing1" added.
[root@ipamasterbz1283429 /]# ipa-getcert list -i testing1 
Number of certificates and requests being tracked: 9.
Request ID 'testing1':
	stuck: no
	key pair storage: type=FILE,location='/tmp/test1/test1.key'
	certificate: type=FILE,location='/tmp/test1/test1.crt'
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST
	expires: 2018-08-10 06:56:10 UTC
	dns: ipamasterbz1283429.testrelm.test
	principal name: host/ipamasterbz1283429.testrelm.test@TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
[root@ipamasterbz1283429 /]# echo Secret123 | kinit admin 
Password for admin@TESTRELM.TEST: 
[root@ipamasterbz1283429 /]# ipa caacl-find
1 CA ACL matched
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
Number of entries returned 1
[root@ipamasterbz1283429 /]# mkdir /tmp/cert-request-test/
[root@ipamasterbz1283429 /]# openssl req -out /tmp/cert-request-test/request1.csr -new -newkey rsa:1024 -nodes -keyout /tmp/cert-request-test/request1.prv
Generating a 1024 bit RSA private key
writing new private key to '/tmp/cert-request-test/request1.prv'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:ipamasterbz1283429.testrelm.test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ipamasterbz1283429 /]# ipa cert-request --principal=HTTP/`hostname` /tmp/cert-request-test/request1.csr 
  Subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 09 06:57:52 2016 UTC
  Not After: Fri Aug 10 06:57:52 2018 UTC
  Fingerprint (MD5): 28:d2:19:c5:75:51:ec:2c:3d:d5:e8:f6:65:ca:d6:10
  Fingerprint (SHA1): ec:19:a2:ac:a1:db:0b:6e:86:52:f8:93:09:96:01:3e:7f:1f:45:79
  Serial number: 12
  Serial number (hex): 0xC

Marking BZ as verified.
Comment 15 errata-xmlrpc 2016-11-04 01:40:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.