Bug 1284811 - ipa-cacert-manage renew fails on nonexistent ldap connection
ipa-cacert-manage renew fails on nonexistent ldap connection
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: Regression, ZStream
: 1283324 (view as bug list)
Depends On: 1284413
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-24 04:38 EST by Jan Kurik
Modified: 2015-12-08 05:37 EST (History)
11 users (show)

See Also:
Fixed In Version: ipa-4.2.0-15.el7_2.1
Doc Type: Bug Fix
Doc Text:
Previously, connection to LDAP was held in a singleton object and creating it locally made it available in the back end. When this behavior was changed, it was not reflected in ipa-cacert-manage. As a consequence, ipa-cacert-manage was unusable because it crashed on every run. This problem has been fixed by connecting to LDAP in back end, and ipa-cacert-manage no longer crashes.
Story Points: ---
Clone Of: 1284413
Environment:
Last Closed: 2015-12-08 05:37:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Kurik 2015-11-24 04:38:24 EST
This bug has been copied from bug #1284413 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Xiyang Dong 2015-11-24 11:57:17 EST
*** Bug 1283324 has been marked as a duplicate of this bug. ***
Comment 6 Xiyang Dong 2015-11-25 11:09:59 EST
Verified on ipa-server-4.2.0-15.el7_2.3:

Steps:
1.install ipa server
2.Renew CA Cert with option to change to external-ca
3.Finish external CA renewal
4.Check certs

Output:
[root@qe-blade-11 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@qe-blade-11 ~]# mkdir /root/RootCA1
[root@qe-blade-11 ~]# cd /root/RootCA1
[root@qe-blade-11 RootCA1]# rm  -f *
[root@qe-blade-11 RootCA1]# echo Secret123 > mypass1
[root@qe-blade-11 RootCA1]# certutil -N -d . -f mypass1
[root@qe-blade-11 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -S -d . \
>     -n RootCA1 \
>     -s "CN=MyRootCA1, O=fakerealm1" \
>     -x \
>     -t "CTu,CTu,CTu" \
>     -g 2048 \
>     -m $RANDOM\
>     -v 60 \
>     -z /etc/group \
>     -2 \
>     --keyUsage certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -f mypass1


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Notice: Trust flag u is set automatically if the private key is present.

[root@qe-blade-11 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA1 \
>     -m $RANDOM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i /var/lib/ipa/ca.csr \
>     -o /root/ca.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

[root@qe-blade-11 RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc
[root@qe-blade-11 RootCA1]# cd  /root
[root@qe-blade-11 ~]# ipa-cacert-manage renew \
>     --external-cert-file=/root/ca.crt \
>     --external-cert-file=/root/RootCA1_chain.asc
Importing the renewed CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

[root@qe-blade-11 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151125151438':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:07 UTC
Request ID '20151125151439':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:05 UTC
Request ID '20151125151440':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:06 UTC
Request ID '20151125151441':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2020-11-25 16:00:36 UTC
Request ID '20151125151442':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:35 UTC
Request ID '20151125151443':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-14 15:14:05 UTC
Request ID '20151125151516':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 15:15:16 UTC
Request ID '20151125151543':
	status: MONITORING
	subject: CN=qe-blade-11.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-25 15:15:43 UTC
Request ID '20151125152118':
	status: MONITORING
	subject: CN=KRA Audit,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:56 UTC
Request ID '20151125152119':
	status: MONITORING
	subject: CN=KRA Transport Certificate,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:53 UTC
Request ID '20151125152120':
	status: MONITORING
	subject: CN=KRA Storage Certificate,O=TESTRELM.TEST
	expires: 2017-11-14 15:20:55 UTC
Comment 10 errata-xmlrpc 2015-12-08 05:37:49 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2562.html

Note You need to log in before you can comment on or make changes to this bug.