1404175 – pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1404175 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any

Summary: pki ca-cert-request-submit fails presumably because of missing authentication...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1316653
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-13 09:26 UTC by Marcel Kolaja
Modified:	2017-01-17 18:26 UTC (History)
CC List:	13 users (show)
Fixed In Version:	pki-core-10.3.3-15.el7_3
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:	1316653
Environment:
Last Closed:	2017-01-17 18:26:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0093	0	normal	SHIPPED_LIVE	pki-core bug fix update	2017-01-17 22:56:43 UTC

Description Marcel Kolaja 2016-12-13 09:26:34 UTC

This bug has been copied from bug #1316653 and has been proposed
to be backported to 7.3 z-stream (EUS).

Comment 4 Geetika Kapoor 2016-12-19 11:15:16 UTC

Test build:  pki-ca-10.3.3-16.el7_3.noarch

Performed the below mentioned testing.Please have a look if anything else also needs to be covered as part of this testing.

1. Install ipa-server-install
2. Create csr using openssl req -new -nodes -out host.csr
3. pki  ca-cert-request-profile-show caCACert --output template.xml
4. submit the csr to any externalCA .
Here i have used another dogtag CA to get the csr signed.

# pki -h <ip1 of CA> -p <http port of CA> ca-cert-request-submit template.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 49990004
  Type: enrollment
  Request Status: pending
  Operation Result: success

5. Make sure to include request type (either pkcs10 or crmf) and cert request fileds.

Case 1: If we don't include request type in template.xml we would hit below exception:

#pki  ca-cert-request-submit template.xml
PKIException: Unknown Certificate Request Type 

6. Try to approve the csr from the CA to which we have send the request.Below if the output once signed by CA.

# pki -h <ip1 of CA> -p <http port of CA ca-cert-request-show 49990004
------------------------------
Certificate request "49990004"
------------------------------
  Request ID: 49990004
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x5ffe0001

##############################################################################
Details of working template.xml::
##############################################################################

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <Attributes/>
    <ProfileID>caCACert</ProfileID>
    <Renewal>false</Renewal>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>certReqInputImpl</ClassID>
        <Name>Certificate Request Input</Name>
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            <Descriptor>
                <Syntax>cert_request_type</Syntax>
                <Description>Certificate Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICljCCAX4CAQAwUTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDENMAsGA1UEAwwEVGVzdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcITTHKipicCgA58PVPxalU
MVBCJTDaRrW4eaSRt3qgsDMhrZ34t8voQni0Pabfw7sp+lUtjUm1QJhmZhTyk8q2
1668KSM36jzbLq32XNdWdPtRTDdE9ahUHzm/uEraRfvlb7WkQIoJDYI9yhie7dr8
F/LKZ9LNRoYgjWUK7z3BDU2NMmb/AaZDnBNKUFB3XXi1QsLnSc/Sy4kakAcPVqf6
91mDToHfOQdLJ2/aiUyQ6jC4tkS/YJUQyPb0cUen7bFwsj6orKA30W5umw+J3Bxl
9TOuaffNR2/154hdoc8tmJqEMqJ/UX5PN5RtHTEtqNuceNda8QUpJjxMk1MxwFkC
AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAouE0d8LeP9BdYnTsq4JLSx2d9mT0U
/3pKhqyBNcwualUUAeUJcPuL7SXE6p65D5VyjnpyAY2Lov4XVDoA+zhGOtgimmT8
z1V/fwfaUNavkSRslgUyO9YMuXIB5dymRLoEm5iRV1C10q/NvsAImdb4oxf5s63w
lhsnzZPAdvMncP1TzskkeMAxX7ifU3vU97MY52gf5wzh9sO0Ex35pHGHgZ0HaFJ2
engvU09AW9cHJmALGXr9+/ZPYEpWtuMiRS9t/ZA02v5VNd6+RC9OJvl/lZcPtsBg
fZY1POP5GdKbuAfeJ5Vgsppv0i/lO5Sg4vGWkgDwHo6dmPXieSqBCACB
-----END CERTIFICATE REQUEST-----
</Value>
            <Descriptor>
                <Syntax>cert_request</Syntax>
                <Description>Certificate Request</Description>
            </Descriptor>
        </Attribute>
    </Input>
    <Input id="i2">
        <ClassID>submitterInfoInputImpl</ClassID>
        <Name>Requestor Information</Name>
        <Attribute name="requestor_name">
            <Value>Test</Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Name</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_email">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Email</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_phone">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Phone</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

Comment 6 Jan Pazdziora 2016-12-19 15:27:48 UTC

I'm sorry -- what is the question?

Comment 7 Geetika Kapoor 2016-12-20 06:32:23 UTC

hello Jan,

Based on this BZ comments and parent BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1316653), I have done the testing as mentioned in comment#4 and also i have verified the fix which is a man page fix for pki-cert.Man page now has below mentioned data:

<Man page pki-cert>

Depending  on  the  profile,  the  command may require authentication (see the profile configuration file).  The CLI currently supports
       client certificate authentication and directory-based authentication.

       Also depending on the profile, an agent may need to review and approve the request by running the following command:

       pki <agent authentication> ca-cert-request-review <request ID> --file <file to store the certificate request>

</Man page pki-cert>

I am from RHCS team and i try to cover best possible use cases.If you could share your inputs and  you have any other test case which is valid for IPA, I can cover that as part of this testing.

Thanks

Comment 8 Jan Pazdziora 2016-12-20 08:08:04 UTC

I don't have any insights -- I've just followed the man page in bug 1316653 comment 0 and it failed. If you were able to reproduce the failure with the version and steps from that bugzilla, and new version either has fixed man page, behaviour, or both, ideally pointing the user how do submit the request, that's all that is needed.

Comment 9 Geetika Kapoor 2016-12-20 09:39:50 UTC

Hello Jan,

According to Endi's  comment #4 (https://bugzilla.redhat.com/show_bug.cgi?id=1316653), we don't use profile "caInstallCACert" because it is internal.
In place of that, we can use profile "caCACert" .Using this profile, We are able to submit request to this profile and approve also. 
man pages are modified to reflect changes.
More details about different profiles usage and submitting request is provided here on this wiki
"http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles"

Thanks
Geetika

Comment 11 errata-xmlrpc 2017-01-17 18:26:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0093.html

Note You need to log in before you can comment on or make changes to this bug.