Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1284413

Summary: ipa-cacert-manage renew fails on nonexistent ldap connection
Product: Red Hat Enterprise Linux 7 Reporter: Jan Cholasta <jcholast>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.2CC: ekeck, jkurik, ksiddiqu, mkosek, rcritten, xdong
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-16.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1284811 (view as bug list) Environment:
Last Closed: 2016-11-04 05:41:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1284811    

Description Jan Cholasta 2015-11-23 09:58:30 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5468

{{{
sudo ipa-cacert-manage renew --external-cert-file /var/lib/ipa/ca.crt --external-cert-file /home/dkupka/nssdb/ca1.pem
Importing the renewed CA certificate, please wait
no context.ldap2_140444701738960 in thread 'MainThread'
The ipa-cacert-manage command failed.
}}}
Comment 1 Jan Cholasta 2015-11-23 10:00:00 UTC 
This is a regression in RHEL 7.2.
Comment 2 Martin Kosek 2015-11-23 10:02:48 UTC 
High severity - functionality is not working any more.
Comment 4 Jan Cholasta 2015-11-23 14:53:34 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5f2cfb5aa2c5ee4e7421090ec154f744ef2225c0
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/f043201ffdd3225fcd263dcc9a3a61768291a3f2
Comment 8 Xiyang Dong 2016-08-22 01:45:01 UTC 
Verified on ipa-server-4.4.0-7.el7:

1.Install ipa with external CA
# ipa-server-install --setup-dns --forwarder=10.11.5.19 -r TESTRELM -a Secret123 -p Secret123 --external-cert-file=/root/ipa.crt --external-cert-file=/root/ipacacert.asc
.
.
.
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

2.Run ipa-cacert-manage renew --external-ca
# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

3.Sign the CSR file with the external CA to get the renewed CA certificate
#cd /root/RootCA
# SERNUM=$(( SERNUM + 1 ))
# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA \
>     -m $SERNUM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i  /var/lib/ipa/ca.csr
>     -o /root/ipa.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


4.Run ipa-cacert-manage renew, specify the renewed CA certificate and external CA certificate chain files in the --external-cert-file option
# ipa-cacert-manage renew --external-cert-file=/root/ipa.crt --external-cert-file=/root/ipacacert.asc
Importing the renewed CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
Comment 10 errata-xmlrpc 2016-11-04 05:41:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html