Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1284811

Summary: ipa-cacert-manage renew fails on nonexistent ldap connection
Product: Red Hat Enterprise Linux 7 Reporter: Jan Kurik <jkurik>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.2CC: dkupka, ekeck, ipa-maint, jcholast, jkurik, ksiddiqu, mkosek, mnavrati, pvoborni, rcritten, xdong
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-15.el7_2.1 Doc Type: Bug Fix
Doc Text:
Previously, connection to LDAP was held in a singleton object and creating it locally made it available in the back end. When this behavior was changed, it was not reflected in ipa-cacert-manage. As a consequence, ipa-cacert-manage was unusable because it crashed on every run. This problem has been fixed by connecting to LDAP in back end, and ipa-cacert-manage no longer crashes.
 Story Points: ---
Clone Of: 1284413 Environment:
Last Closed: 2015-12-08 10:37:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1284413    
Bug Blocks:    

Description Jan Kurik 2015-11-24 09:38:24 UTC 
This bug has been copied from bug #1284413 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Xiyang Dong 2015-11-24 16:57:17 UTC 
*** Bug 1283324 has been marked as a duplicate of this bug. ***
Comment 6 Xiyang Dong 2015-11-25 16:09:59 UTC 
Verified on ipa-server-4.2.0-15.el7_2.3:

Steps:
1.install ipa server
2.Renew CA Cert with option to change to external-ca
3.Finish external CA renewal
4.Check certs

Output:
[root@qe-blade-11 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@qe-blade-11 ~]# mkdir /root/RootCA1
[root@qe-blade-11 ~]# cd /root/RootCA1
[root@qe-blade-11 RootCA1]# rm  -f *
[root@qe-blade-11 RootCA1]# echo Secret123 > mypass1
[root@qe-blade-11 RootCA1]# certutil -N -d . -f mypass1
[root@qe-blade-11 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -S -d . \
>     -n RootCA1 \
>     -s "CN=MyRootCA1, O=fakerealm1" \
>     -x \
>     -t "CTu,CTu,CTu" \
>     -g 2048 \
>     -m $RANDOM\
>     -v 60 \
>     -z /etc/group \
>     -2 \
>     --keyUsage certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -f mypass1


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Notice: Trust flag u is set automatically if the private key is present.

[root@qe-blade-11 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA1 \
>     -m $RANDOM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i /var/lib/ipa/ca.csr \
>     -o /root/ca.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

[root@qe-blade-11 RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc
[root@qe-blade-11 RootCA1]# cd  /root
[root@qe-blade-11 ~]# ipa-cacert-manage renew \
>     --external-cert-file=/root/ca.crt \
>     --external-cert-file=/root/RootCA1_chain.asc
Importing the renewed CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

[root@qe-blade-11 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151125151438':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:07 UTC
Request ID '20151125151439':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:05 UTC
Request ID '20151125151440':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:06 UTC
Request ID '20151125151441':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2020-11-25 16:00:36 UTC
Request ID '20151125151442':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:35 UTC
Request ID '20151125151443':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:05 UTC
Request ID '20151125151516':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 15:15:16 UTC
Request ID '20151125151543':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 15:15:43 UTC
Request ID '20151125152118':
	status: MONITORING
	subject: CN=KRA Audit,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:56 UTC
Request ID '20151125152119':
	status: MONITORING
	subject: CN=KRA Transport Certificate,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:53 UTC
Request ID '20151125152120':
	status: MONITORING
	subject: CN=KRA Storage Certificate,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:55 UTC
Comment 10 errata-xmlrpc 2015-12-08 10:37:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2562.html