Hide Forgot
Description of problem: CA startup creates an LWCA entry for host authority entry if it determines that one has not already been created. It determines if an LWCA entry corresponds to host CA but comparing DN from LDAP with DN from cert. If DN from cert contains strings using PrintableString encoding, it will compare unequal to the DN from LDAP, which parses to UTF8String AVA values, resulting in addition of a suprious entry every time the server starts. Version-Release number of selected component (if applicable): How reproducible: Always, if CA cert subject DN contains PrintableString encoded values. Steps to Reproduce: 1. Install CA with externally-signed CA whose subject DN contains PrintableString-encoded values. 2. Restart CA. Actual results: a new host authority entry is added to LDAP on every restart. Expected results: CA startup properly matches the host authority LDAP entry to the host authority, therefore does not add spurious entries. Additional info:
Moving from rhel-7.3.0 ==> rhel-7.4.0. Bug has been marked as RHEL 7.3 ZStream candidate.
On September 23, 2016, ftweedal checked-in the following: * master (9043a08bef3723ca218ad7e5dd82be61166b5a1d) * DOGTAG_10_3_BRANCH (84606cc69390187b7f0f11fff41a372fd96f8f93)
rpm -qa pki-ca pki-ca-10.4.1-10.el7.noarch Refer https://bugzilla.redhat.com/show_bug.cgi?id=1390322 for more details Test case 1: [root@pki1 ~]# curl -k https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27443/ca/rest/authorities <?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection xmlns:ns2="http://www.w3.org/2005/Atom"><authority isHostAuthority="true" id="99c4df4e-4646-46c1-9934-0d7afb9d080b" issuerDN="CN=External CA,O=EXTERNAL" serial="4947" dn="CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor5,O=Example-Test-rhel-fips" enabled="true" description="Host authority" ready="true"/></collection> Test Case 2: SEQUENCE { 57 3: OBJECT IDENTIFIER commonName (2 5 4 3) 62 11: PrintableString 'External CA' : } : } : } 75 30: SEQUENCE { 77 13: UTCTime 23/06/2017 11:42:27 GMT 92 13: UTCTime 23/09/2017 11:42:27 GMT : } 107 100: SEQUENCE { 109 31: SET { 111 29: SEQUENCE { 113 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 118 22: PrintableString 'Example-Test-rhel-fips' : } : } 142 32: SET { 144 30: SEQUENCE { 146 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 151 23: PrintableString 'pki-ExternalCA-gkapoor5' : } : } 176 31: SET { 178 29: SEQUENCE { 180 3: OBJECT IDENTIFIER commonName (2 5 4 3) 185 22: PrintableString 'CA Signing Certificate' : } : } : }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110