Bug 1284413 - ipa-cacert-manage renew fails on nonexistent ldap connection
Summary: ipa-cacert-manage renew fails on nonexistent ldap connection
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Depends On:
Blocks: 1284811
TreeView+ depends on / blocked
Reported: 2015-11-23 09:58 UTC by Jan Cholasta
Modified: 2016-11-04 05:41 UTC (History)
6 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1284811 (view as bug list)
Last Closed: 2016-11-04 05:41:13 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Jan Cholasta 2015-11-23 09:58:30 UTC
This bug is created as a clone of upstream ticket:

sudo ipa-cacert-manage renew --external-cert-file /var/lib/ipa/ca.crt --external-cert-file /home/dkupka/nssdb/ca1.pem
Importing the renewed CA certificate, please wait
no context.ldap2_140444701738960 in thread 'MainThread'
The ipa-cacert-manage command failed.

Comment 1 Jan Cholasta 2015-11-23 10:00:00 UTC
This is a regression in RHEL 7.2.

Comment 2 Martin Kosek 2015-11-23 10:02:48 UTC
High severity - functionality is not working any more.

Comment 8 Xiyang Dong 2016-08-22 01:45:01 UTC
Verified on ipa-server-4.4.0-7.el7:

1.Install ipa with external CA
# ipa-server-install --setup-dns --forwarder= -r TESTRELM -a Secret123 -p Secret123 --external-cert-file=/root/ipa.crt --external-cert-file=/root/ipacacert.asc
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

2.Run ipa-cacert-manage renew --external-ca
# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

3.Sign the CSR file with the external CA to get the renewed CA certificate
#cd /root/RootCA
# SERNUM=$(( SERNUM + 1 ))
# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA \
>     -m $SERNUM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i  /var/lib/ipa/ca.csr
>     -o /root/ipa.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

4.Run ipa-cacert-manage renew, specify the renewed CA certificate and external CA certificate chain files in the --external-cert-file option
# ipa-cacert-manage renew --external-cert-file=/root/ipa.crt --external-cert-file=/root/ipacacert.asc
Importing the renewed CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

Comment 10 errata-xmlrpc 2016-11-04 05:41:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.