Bug 1327092 - URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
Summary: URI details missing and OCSP-URI details are incorrectly displayed when certi...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Kaleem
Depends On:
Blocks: 1337820
TreeView+ depends on / blocked
Reported: 2016-04-14 09:33 UTC by Nikhil Dehadrai
Modified: 2016-11-04 05:53 UTC (History)
9 users (show)

Fixed In Version: ipa-4.3.1-0.201605191449GITf8edf37.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1337820 (view as bug list)
Last Closed: 2016-11-04 05:53:08 UTC

Attachments (Terms of Use)
Observations 7.2.2,7.2.1 and 7.2GA (30.96 KB, text/plain)
2016-04-14 09:33 UTC, Nikhil Dehadrai
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Nikhil Dehadrai 2016-04-14 09:33:51 UTC
Created attachment 1147087 [details]
Observations 7.2.2,7.2.1 and 7.2GA

Description of problem:
URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure IPA server with RHEL 7.2up2.
2. create temporary directory inside tmp. (mkdir /tmp/test)
3. cd /tmp/test
4. Execute following bash script. (Make sure you update the DOMAIN and MASTER as per your setup, in my case it is "testrelm.test" and respective ipa server hostname as MASTER).
5. BASH script:

###########Script start ##############

echo "Secret123" | kinit admin
export MASTER=`hostname`
export DOMAIN=testrelm.test

echo '[ req ]
default_bits = 2048' > $MASTER-cert-req.conf
echo 'distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
O = RedHat Technology
OU = RedHat IT' >> $MASTER-cert-req.conf

echo "CN = $MASTER" >> $MASTER-cert-req.conf


openssl req -new -config $MASTER-cert-req.conf -out $csrfile
ipa cert-request --add --principal=EXAMPLE/`hostname` $csrfile > $outfile

export certnum=$(cat $outfile | grep Serial\ number: | sed s=\ \ =\ =g | cut -d\  -f4)
ipa cert-show $certnum --out=$MASTER.cert


openssl x509 -text -in $MASTER.cert

openssl x509 -text -in $MASTER.cert | grep URI | grep -v OCSP | grep $expecteduri
openssl x509 -text -in $MASTER.cert | grep URI | grep OCSP | grep $expectedocsp

#### Script END ##########

Actual results:
1. URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
2. On executing command "openssl x509 -text -in $MASTER.cert" following OCSP URI details are found instead of expected value insside variables "expecteduri" and "expectedocsp".

OCSP - URI:http://apollo.testrelm.test:80/ca/ocsp

3. Refer attached console output log for 7.2.2, 7.2.1 and 7.2GA  using this script for reference.

Expected results:
The URI and OCSP-URI details should be correctly displayed when certificate is generated using IPA on RHEL 7.2up2.

Additional info:
1. When the same steps are tested for 7.2 GA and 7.2up1, the issue is not observed and URI and OCSP-URI details are available correctly.

Comment 2 Petr Vobornik 2016-04-14 11:07:10 UTC
Btw, this does not happen upstream with ipa 4.3 and pki-ca-10.2.6-15.fc23

Fraser, could it be related to bug 1284803 or bug 1311468? I would say that it isn't.

Also we didn't to any CRL or OCSP related configuration in IPA in u2. To me it looks like a bug in PKI.

What do you think?

Comment 4 Petr Vobornik 2016-04-14 11:53:58 UTC
what are the pki-ca versions?

Comment 5 Nikhil Dehadrai 2016-04-14 13:33:59 UTC
Please find the pki-ca version details below:

1. RHEL 7.2.2 = pki-ca-10.2.5-6.el7.noarch
2. RHEL 7.2.1 = pki-ca-10.2.5-6.el7.noarch
3. RHEL 7.2GA = pki-ca-10.2.5-6.el7.noarch

Comment 6 Fraser Tweedale 2016-04-15 01:03:26 UTC
Petr, I agree it is not unlikely to be related to those bugs.

There was an issue reported in freeipa-users recently with same or similar symptoms - the caIPAserverCert profile shipped with Dogtag somehow ended up
in LDAP instead of the version shipped with FreeIPA.  I need to investigate further.

Comment 7 Martin Kosek 2016-05-03 11:59:58 UTC
Was there any result for the investigation?

Comment 8 Fraser Tweedale 2016-05-04 05:00:47 UTC
I'm unable to reproduce; more information about how the IPA
server gets to this point is needed, e.g.:

- is it a clone or migration from another master?
- is it an upgrade from an earlier release?
- please attach IPA install logs (and IPA upgrade log, if applicable)


Comment 10 Petr Vobornik 2016-05-05 11:12:44 UTC
Nikhil, do you have an estimate in what percentage of test runs this failure happen?

Comment 11 Nikhil Dehadrai 2016-05-05 11:34:33 UTC
Hi Petr,

I have noticed this behavior in my upgrade tests related to 
1) 7.2up1 > 7.2up4 - (Noticed in Normal upgrade tests).
2) 7.2up2 > 7.2up4 - (Noticed in Normal upgrade tests).

and did not notice it in upgrade path 
1) 7.2GA > 7.2up4 - (Did not Notice in Normal upgrade tests)
2) 7.0.z > 7.2up4.- (Did not Notice in Normal upgrade tests)

So I would say, roughly 50% of my test runs.

Comment 12 Fraser Tweedale 2016-05-10 13:19:13 UTC
Nikhil, can you please advise whether the affected installations are replicas or had replicas created from them?  If so, could you please precisely describe the

Does the problem occur in installations *without* clones?

Comment 13 Nikhil Dehadrai 2016-05-10 14:16:04 UTC
Hi Fraser,

Yes the setup consisted of Master,Replica and Client (MRC topology). The issue was noticed on Master as well as Replica.

Let me know, if you want I can re-run the task and can provide access accordingly.

Comment 21 Nikhil Dehadrai 2016-08-08 08:36:59 UTC
Server build: ipa-server-4.4.0-3.el7.x86_64

Verified the bug on the basis of following steps:
1. Verified that on running the script on the IPA master URI and OCSP details are displayed correctly.
2. Verified that the script for both MASTER and REPLICA.

Thus on the basis of above observation, marking the status of bug to "VERIFIED-FIXED"

Comment 24 errata-xmlrpc 2016-11-04 05:53:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.