RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1284803 - Default CA ACL rule is not created during ipa-replica-install
Summary: Default CA ACL rule is not created during ipa-replica-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On: 1283429
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-24 09:37 UTC by Jan Kurik
Modified: 2019-10-10 10:33 UTC (History)
9 users (show)

Fixed In Version: ipa-4.2.0-15.el7_2.2
Doc Type: Bug Fix
Doc Text:
Included certificate profiles and CA ACLs were not added during replica installation. As a consequence, certificate issuance failed on Red Hat Enterprise Linux 7.2 IdM replicas created from IdM masters prior to 7.2. Now, certificate profiles and CA ACLs are in place. Additionally, the default CA ACL cannot be deleted. As a result, certificate profiles and CA ACLs are now added if missing when installing a replica regardless of the version of the IdM master. The default CA ACL, hosts_services_caIPAserviceCert, can no longer be deleted, only disabled.
Clone Of: 1283429
Environment:
Last Closed: 2015-12-08 10:37:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2562 0 normal SHIPPED_LIVE ipa bug fix update 2015-12-08 15:35:22 UTC

Description Jan Kurik 2015-11-24 09:37:34 UTC
This bug has been copied from bug #1283429 and has been proposed
to be backported to 7.2 z-stream (EUS).

Comment 5 Kaleem 2015-11-25 08:41:11 UTC
Verified. 
CA ACL now added on migrated replica and getcert/cert-request are successful.

IPA Version:
============
[root@vm-idm-006 ~]# rpm -q ipa-server pki-ca
ipa-server-4.2.0-15.el7_2.2.x86_64
pki-ca-10.2.5-6.el7.noarch
[root@vm-idm-006 ~]# 

Console output:
==============
[root@vm-idm-006 ~]# mkdir /tmp/test1
[root@vm-idm-006 ~]# chcon -t cert_t /tmp/test1/
[root@vm-idm-006 ~]# ipa-getcert request -k /tmp/test1/test1.key -f /tmp/test1/test1.crt -I testing1 
New signing request "testing1" added.
[root@vm-idm-006 ~]# ipa-getcert list -i testing1 
Number of certificates and requests being tracked: 9.
Request ID 'testing1':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/tmp/test1/test1.key'
	certificate: type=FILE,location='/tmp/test1/test1.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=vm-idm-006.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 08:28:29 UTC
	dns: vm-idm-006.testrelm.test
	principal name: host/vm-idm-006.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
[root@vm-idm-006 ~]# ipa caacl-find
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert
----------------------------
Number of entries returned 1
----------------------------
[root@vm-idm-006 ~]# 
[root@vm-idm-006 ~]# mkdir /tmp/cert-request-test/
[root@vm-idm-006 ~]# chcon -t cert_t /tmp/cert-request-test/
[root@vm-idm-006 ~]# openssl req -out /tmp/cert-request-test/request1.csr -new -newkey rsa:1024 -nodes -keyout /tmp/cert-request-test/request1.prv
Generating a 1024 bit RSA private key
...........................................................++++++
........++++++
writing new private key to '/tmp/cert-request-test/request1.prv'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PNQ
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:vm-idm-006.testrelm.test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@vm-idm-006 ~]# ipa cert-request --principal=HTTP/`hostname` /tmp/cert-request-test/request1.csr 
  Certificate: MIIDnTCCAoWgAwIBAgIED/8AAjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMTI1MDgzNjQ3WhcNMTcxMTI1MDgzNjQ3WjA7MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSEwHwYDVQQDDBh2bS1pZG0tMDA2LnRlc3RyZWxtLnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM3+wGqxtz4KZm78wVeXygoyV1/Ow/AnHo+hSlXvCTsREw2wAUkbgq5n5eRji1xlH7PuedFBErylBMfsc0+RYIU8qqx4uaZ7j/40BOeF+mXDuWKnj0zWgTTtDdIBI6AJjhs4GcUtRO7JCQxZh+NgK0GudEheTMAeXA3Cm0jHNdIVAgMBAAGjggEuMIIBKjAfBgNVHSMEGDAWgBSQeJKwb6lT/hORS/QCh81/H0cxqjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU/lxK9aR6bMFWzTuLWBg1cdWsKIkwDQYJKoZIhvcNAQELBQADggEBALLSE5c42qIap2xRaQ9F3dsa+XHZYTeRabaYrK2j0laRgH6WYhcczgQHsWb4Z0qoXayTD747x3P8/BVw9Gcxi+4tGDcn3iwCf/LSHPNJKrdpXHUsJSmgtdPzPbsr6LWT9UYiuwkenV6LhRHoimnKg//NcS/hvrQlDKMajvwaVLwAdiqkhXQIujweOQUtWyelYTiuhYDsr+PpQXDFiDEZxpDR9OKMlnDlRozPdr/gjRqJ1rfgynP/S31P6fnZXxIMqeh6dH/lIOVpwJ6zUvwntpDNEnGQReV3gytmg/HW/6Kg2LcGqL16TKKC+1u0Mg2wjQAKJ58y4vU4naAIR0Jmlns=
  Subject: CN=vm-idm-006.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed Nov 25 08:36:47 2015 UTC
  Not After: Sat Nov 25 08:36:47 2017 UTC
  Fingerprint (MD5): 8e:bd:6a:82:b5:7b:ba:85:a9:74:b7:83:48:24:48:ee
  Fingerprint (SHA1): ed:7b:4c:09:74:c9:6a:eb:91:b2:4b:52:bf:4b:7d:4c:ec:13:7a:07
  Serial number: 268369922
  Serial number (hex): 0xFFF0002
[root@vm-idm-006 ~]# 
[root@vm-idm-006 ~]# rpm -q ipa-server pki-ca
ipa-server-4.2.0-15.el7_2.2.x86_64
pki-ca-10.2.5-6.el7.noarch
[root@vm-idm-006 ~]#

Comment 10 errata-xmlrpc 2015-12-08 10:37:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2562.html


Note You need to log in before you can comment on or make changes to this bug.