Created attachment 1147087 [details]
Observations 7.2.2,7.2.1 and 7.2GA
Description of problem:
URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure IPA server with RHEL 7.2up2.
2. create temporary directory inside tmp. (mkdir /tmp/test)
3. cd /tmp/test
4. Execute following bash script. (Make sure you update the DOMAIN and MASTER as per your setup, in my case it is "testrelm.test" and respective ipa server hostname as MASTER).
5. BASH script:
###########Script start ##############
echo "Secret123" | kinit admin
echo '[ req ]
default_bits = 2048' > $MASTER-cert-req.conf
echo 'distinguished_name = test_key_file
prompt = no
output_password = ..
[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT' >> $MASTER-cert-req.conf
echo "CN = $MASTER" >> $MASTER-cert-req.conf
openssl req -new -config $MASTER-cert-req.conf -out $csrfile
ipa cert-request --add --principal=EXAMPLE/`hostname` $csrfile > $outfile
export certnum=$(cat $outfile | grep Serial\ number: | sed s=\ \ =\ =g | cut -d\ -f4)
ipa cert-show $certnum --out=$MASTER.cert
openssl x509 -text -in $MASTER.cert
openssl x509 -text -in $MASTER.cert | grep URI | grep -v OCSP | grep $expecteduri
openssl x509 -text -in $MASTER.cert | grep URI | grep OCSP | grep $expectedocsp
#### Script END ##########
1. URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
2. On executing command "openssl x509 -text -in $MASTER.cert" following OCSP URI details are found instead of expected value insside variables "expecteduri" and "expectedocsp".
OCSP - URI:http://apollo.testrelm.test:80/ca/ocsp
3. Refer attached console output log for 7.2.2, 7.2.1 and 7.2GA using this script for reference.
The URI and OCSP-URI details should be correctly displayed when certificate is generated using IPA on RHEL 7.2up2.
1. When the same steps are tested for 7.2 GA and 7.2up1, the issue is not observed and URI and OCSP-URI details are available correctly.
Btw, this does not happen upstream with ipa 4.3 and pki-ca-10.2.6-15.fc23
Fraser, could it be related to bug 1284803 or bug 1311468? I would say that it isn't.
Also we didn't to any CRL or OCSP related configuration in IPA in u2. To me it looks like a bug in PKI.
What do you think?
what are the pki-ca versions?
Please find the pki-ca version details below:
1. RHEL 7.2.2 = pki-ca-10.2.5-6.el7.noarch
2. RHEL 7.2.1 = pki-ca-10.2.5-6.el7.noarch
3. RHEL 7.2GA = pki-ca-10.2.5-6.el7.noarch
Petr, I agree it is not unlikely to be related to those bugs.
There was an issue reported in freeipa-users recently with same or similar symptoms - the caIPAserverCert profile shipped with Dogtag somehow ended up
in LDAP instead of the version shipped with FreeIPA. I need to investigate further.
Was there any result for the investigation?
I'm unable to reproduce; more information about how the IPA
server gets to this point is needed, e.g.:
- is it a clone or migration from another master?
- is it an upgrade from an earlier release?
- please attach IPA install logs (and IPA upgrade log, if applicable)
Nikhil, do you have an estimate in what percentage of test runs this failure happen?
I have noticed this behavior in my upgrade tests related to
1) 7.2up1 > 7.2up4 - (Noticed in Normal upgrade tests).
2) 7.2up2 > 7.2up4 - (Noticed in Normal upgrade tests).
and did not notice it in upgrade path
1) 7.2GA > 7.2up4 - (Did not Notice in Normal upgrade tests)
2) 7.0.z > 7.2up4.- (Did not Notice in Normal upgrade tests)
So I would say, roughly 50% of my test runs.
Nikhil, can you please advise whether the affected installations are replicas or had replicas created from them? If so, could you please precisely describe the
Does the problem occur in installations *without* clones?
Yes the setup consisted of Master,Replica and Client (MRC topology). The issue was noticed on Master as well as Replica.
Let me know, if you want I can re-run the task and can provide access accordingly.
Server build: ipa-server-4.4.0-3.el7.x86_64
Verified the bug on the basis of following steps:
1. Verified that on running the script on the IPA master URI and OCSP details are displayed correctly.
2. Verified that the script for both MASTER and REPLICA.
Thus on the basis of above observation, marking the status of bug to "VERIFIED-FIXED"
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.