1284811 – ipa-cacert-manage renew fails on nonexistent ldap connection

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1284811 - ipa-cacert-manage renew fails on nonexistent ldap connection

Summary: ipa-cacert-manage renew fails on nonexistent ldap connection

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1283324 (view as bug list)
Depends On:	1284413
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-24 09:38 UTC by Jan Kurik
Modified:	2015-12-08 10:37 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.2.0-15.el7_2.1
Doc Type:	Bug Fix
Doc Text:	Previously, connection to LDAP was held in a singleton object and creating it locally made it available in the back end. When this behavior was changed, it was not reflected in ipa-cacert-manage. As a consequence, ipa-cacert-manage was unusable because it crashed on every run. This problem has been fixed by connecting to LDAP in back end, and ipa-cacert-manage no longer crashes.
Clone Of:	1284413
Environment:
Last Closed:	2015-12-08 10:37:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2562	0	normal	SHIPPED_LIVE	ipa bug fix update	2015-12-08 15:35:22 UTC

Description Jan Kurik 2015-11-24 09:38:24 UTC

This bug has been copied from bug #1284413 and has been proposed
to be backported to 7.2 z-stream (EUS).

Comment 5 Xiyang Dong 2015-11-24 16:57:17 UTC

*** Bug 1283324 has been marked as a duplicate of this bug. ***

Comment 6 Xiyang Dong 2015-11-25 16:09:59 UTC

Verified on ipa-server-4.2.0-15.el7_2.3:

Steps:
1.install ipa server
2.Renew CA Cert with option to change to external-ca
3.Finish external CA renewal
4.Check certs

Output:
[root@qe-blade-11 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@qe-blade-11 ~]# mkdir /root/RootCA1
[root@qe-blade-11 ~]# cd /root/RootCA1
[root@qe-blade-11 RootCA1]# rm  -f *
[root@qe-blade-11 RootCA1]# echo Secret123 > mypass1
[root@qe-blade-11 RootCA1]# certutil -N -d . -f mypass1
[root@qe-blade-11 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -S -d . \
>     -n RootCA1 \
>     -s "CN=MyRootCA1, O=fakerealm1" \
>     -x \
>     -t "CTu,CTu,CTu" \
>     -g 2048 \
>     -m $RANDOM\
>     -v 60 \
>     -z /etc/group \
>     -2 \
>     --keyUsage certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -f mypass1


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Notice: Trust flag u is set automatically if the private key is present.

[root@qe-blade-11 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA1 \
>     -m $RANDOM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i /var/lib/ipa/ca.csr \
>     -o /root/ca.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

[root@qe-blade-11 RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc
[root@qe-blade-11 RootCA1]# cd  /root
[root@qe-blade-11 ~]# ipa-cacert-manage renew \
>     --external-cert-file=/root/ca.crt \
>     --external-cert-file=/root/RootCA1_chain.asc
Importing the renewed CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

[root@qe-blade-11 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151125151438':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:07 UTC
Request ID '20151125151439':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:05 UTC
Request ID '20151125151440':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:06 UTC
Request ID '20151125151441':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2020-11-25 16:00:36 UTC
Request ID '20151125151442':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:35 UTC
Request ID '20151125151443':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:05 UTC
Request ID '20151125151516':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 15:15:16 UTC
Request ID '20151125151543':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 15:15:43 UTC
Request ID '20151125152118':
	status: MONITORING
	subject: CN=KRA Audit,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:56 UTC
Request ID '20151125152119':
	status: MONITORING
	subject: CN=KRA Transport Certificate,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:53 UTC
Request ID '20151125152120':
	status: MONITORING
	subject: CN=KRA Storage Certificate,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:55 UTC

Comment 10 errata-xmlrpc 2015-12-08 10:37:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2562.html

Note You need to log in before you can comment on or make changes to this bug.