Bug 1451576
| Summary: | ipa cert-request failed to generate certificate from csr | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijeet Kasurde <akasurde> |
| Component: | ipa | Assignee: | fbarreto |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | cheimes, fbarreto, ftweedal, jnovonj, ksiddiqu, mreznik, ndehadra, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.4-8.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 16:40:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1392582 | ||
|
Description
Abhijeet Kasurde
2017-05-17 05:42:32 UTC
Sounds like https://pagure.io/freeipa/issue/5919 for which a fix was pushed to master recently. Felipe, can you take a look on this BZ whether it has the same root cause? if yes we will backport the fix to RHEL ASAP. Hi Abhijeet, I followed the steps that you provided, but I got the error [1] when running the cert-request command, am I missing something? [1] [root@kvm-02-guest08 1451576]# ipa cert-request testuser1.csr --principal=testuser1 ipa: ERROR: The principal for this request doesn't exist. Felipe, you have you have an IPA server with realm "TESTRELM.TEST" and also create the user 'testuser1'. Then it will find the principal and you should be able to reproduce this issue. Fraser: thank you for helping, that is what was missing. Martin: Yes, it's the same root cause. The PR for https://pagure.io/freeipa/issue/5919 fix this. Using this as a workaround - Let me know if it is correct
[root@ipaserver01 ~]# cat testuser1.cnf
[ req ]
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = exts
[ dn ]
commonName = testuser1
[ exts ]
subjectAltName=@alt_section
[alt_section]
email=testuser1
[root@ipaserver01 ~]# openssl req -new -newkey rsa:2048 -keyout testuser1.key -sha256 -nodes -out testuser1.csr -config testuser1.cnf
Generating a 2048 bit RSA private key
.....+++
.........................+++
writing new private key to 'testuser1.key'
-----
[root@ipaserver01 ~]# openssl req -text -noout -in testuser1.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=testuser1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:58:e8:fd:25:cc:61:79:21:a1:a6:b7:6b:ae:
39:78:0d:e7:d2:d7:8b:84:a0:89:d5:4e:dd:77:e9:
a8:cb:d6:3e:37:db:59:2a:90:6b:94:2e:e3:78:88:
34:0c:32:87:f3:69:10:28:ea:6b:e5:76:38:e0:16:
48:d7:22:b8:80:a7:15:e9:42:ac:31:bf:2e:7d:4a:
eb:33:bf:de:a5:eb:f0:d1:62:8e:34:b3:10:1e:d1:
9d:b1:0d:0a:f5:df:d3:b5:d4:87:f6:25:8e:9d:5f:
80:67:7b:c7:31:3e:39:78:de:a8:34:8c:50:ab:a2:
86:1c:94:39:85:6b:e2:aa:19:ce:61:e5:c9:2a:17:
14:df:58:2b:04:7d:41:de:6b:95:25:4d:0e:a3:6c:
2e:cb:33:8c:56:a1:da:38:b4:09:ed:04:f8:9a:d9:
13:8d:b6:c7:eb:8c:f0:fd:1d:64:ae:80:7a:da:4c:
1d:f4:a5:82:b9:51:4a:cc:90:8d:d9:d8:79:b2:4c:
34:75:21:47:8c:e5:9c:5a:17:60:88:64:27:d4:da:
db:37:36:52:8d:61:af:0f:68:3a:69:3e:12:21:fc:
97:e7:a7:27:1b:53:20:a1:da:e0:56:8b:e1:1c:f9:
92:46:90:a6:4c:88:88:bc:be:66:a4:f9:88:96:e4:
60:9f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:testuser1
Signature Algorithm: sha256WithRSAEncryption
af:e3:a2:b1:bb:6e:7c:ce:53:f1:ec:5a:66:5f:0d:fe:aa:94:
9e:f0:4f:35:8e:1b:86:bb:f9:89:50:22:6a:9a:fc:c4:bc:3d:
66:98:36:fb:34:b4:81:62:08:1a:2f:32:cd:6e:9b:2a:fd:ac:
75:27:5c:40:03:67:6b:15:ce:06:ef:20:84:d1:f1:40:61:53:
08:c6:8d:ad:fd:5a:1f:5b:9e:04:5a:46:c1:42:4b:87:e7:07:
a1:28:07:f7:87:c0:7e:64:ab:b1:a8:c7:8b:16:be:2c:e5:48:
0a:8d:b9:35:c1:05:0f:4b:55:83:7c:7f:7e:4c:f7:5e:46:35:
1c:33:23:2d:61:0b:49:b0:d7:f1:ee:50:01:71:b3:32:23:fc:
20:7b:ee:87:a0:b9:3e:2e:ab:81:02:d4:e1:f4:b4:c8:c7:81:
a7:e8:df:2d:44:b1:b6:d5:fc:d2:aa:b1:82:10:0e:24:40:9c:
ba:09:52:d8:7a:68:97:84:db:50:4f:87:c8:77:98:a8:68:77:
ce:7a:68:bc:dd:34:f9:69:89:55:bb:84:cd:f4:93:45:98:f5:
f8:4c:11:c8:71:92:16:7f:9a:89:40:6b:4a:23:fe:c0:60:eb:
1f:31:25:73:5c:87:0d:c0:3f:3b:19:b9:fb:10:27:0b:69:66:
d6:4b:6f:ca
[root@ipaserver01 ~]# echo Secret123 | kinit admin
Password for admin:
[root@ipaserver01 ~]# echo Password1 | ipa user-add --first testuser1 --last testuser1 testuser1 --password
----------------------
Added user "testuser1"
----------------------
User login: testuser1
First name: testuser1
Last name: testuser1
Full name: testuser1 testuser1
Display name: testuser1 testuser1
Initials: tt
Home directory: /home/testuser1
GECOS: testuser1 testuser1
Login shell: /bin/sh
Principal name: testuser1
Principal alias: testuser1
Email address: testuser1
UID: 937000001
GID: 937000001
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@ipaserver01 ~]# ipa cert-request --principal=testuser1 testuser1.csr
Issuing CA: ipa
Certificate: MIIEMzCCAxugAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA4MDkzODMyWhcNMTkwNjA5MDkzODMyWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WOj9JcxheSGhprdrrjl4DefS14uEoInVTt136ajL1j4321kqkGuULuN4iDQMMofzaRAo6mvldjjgFkjXIriApxXpQqwxvy59Suszv96l6/DRYo40sxAe0Z2xDQr139O11If2JY6dX4Bne8cxPjl43qg0jFCrooYclDmFa+KqGc5h5ckqFxTfWCsEfUHea5UlTQ6jbC7LM4xWodo4tAntBPia2RONtsfrjPD9HWSugHraTB30pYK5UUrMkI3Z2HmyTDR1IUeM5ZxaF2CIZCfU2ts3NlKNYa8PaDppPhIh/JfnpycbUyCh2uBWi+Ec+ZJGkKZMiIi8vmak+YiW5GCfAgMBAAGjggFSMIIBTjAfBgNVHSMEGDAWgBShPgrfTF777ZnmsW0Mb+jiux7EAzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUsapm5e3WZ8JUjHBs4pAZcwhGeD0wIgYDVR0RBBswGYEXdGVzdHVzZXIxQHRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBACkiPHSPPZYR8hnM/sPJpl6R2hqy0q3yLGQfcT9+T
Hi, This is my first question, please be patience. The workaround seems not working, My CSR says: ---------- 8< ----------- 8< ----------- Common Name: jnovo Subject Alternative Names: jnovo Organization: MiCasa Organization Unit: MiCasa Infraestructuras Locality: Madrid State: Comunidad Autonoma de Madrid Country: ES Email: jnovo ---------- >8 ----------- >8 ----------- [root@freeipa ipa-server]# ipa cert-request --principal=jnovo jnovo.csr ipa: ERROR: an internal error has occurred [root@freeipa ipa-server]# This may not be related to the original issue but you'd need to look in the Apache error log for more details on the failure, /var/log/httpd/error_log on the IPA master. IPA version: ipa-server-4.5.4-7.el7.x86_64 Tested the bug with following observations: 1. Setup IPA master at latest version ( in my case RHEL 7.5) 2. Create a test user (in my case user named 'testuser') 3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser') # cd /root/testuser 4. Create a new file named 'testuser.inf' for key creation with following contents. [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "testuser" [ exts ] subjectAltName=email:testuser 5. Create key file using the inf file created in step4. # openssl genrsa -out testuser.key 2048 6. Create csr using the key file created in step5. # openssl req -new -sha256 -key testuser.key -out testuser.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PUNE Organization Name (eg, company) [Default Company Ltd]:Red Hat Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:testuser Email Address []:testuser Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@auto-hv-01-guest03 testuser]# ls -l total 12 -rw-r--r--. 1 root root 1041 Dec 19 06:24 testuser.csr -rw-r--r--. 1 root root 170 Dec 19 06:19 testuser.inf -rw-r--r--. 1 root root 1679 Dec 19 06:20 testuser.key 7. Now run ipa cert-request using csr generated in step6. # ipa cert-request testuser.csr --principal=testuser ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses From the above observation in step7, we are still seeing the original issue mentioned at Comment#0 (Description), thus marking status to "ASSIGNED" I opened https://github.com/freeipa/freeipa/pull/1450 to backport https://github.com/freeipa/freeipa/pull/736/commits/6eb1169e3eab36678a2640718a7204a72247be91 to 4.5. IPA-Server-Version: ipa-server-4.5.4-8.el7.x86_64
Tested the bug on the basis of below observations:
Tested the bug with following observations:
1. Setup IPA master at latest version ( in my case RHEL 7.5- ipa-server-4.5.4-8.el7.x86_64)
2. Create a test user (in my case user named 'testuser')
# ipa user-add --first=test --last=user testuser
3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser')
# cd /root/testuser
4. Create a new file named 'testuser.inf' for key creation with following contents.
[ req ]
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = exts
[ dn ]
commonName = "testuser"
[ exts ]
subjectAltName=email:testuser
5. Create key file using the inf file created in step4.
# openssl genrsa -out testuser.key 2048
6. Create csr using the key file created in step5.
# openssl req -new -sha256 -key testuser.key -out testuser.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser
Email Address []:testuser
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@hp-microservergen8-01 testuser]# ls -l
total 12
-rw-r--r--. 1 root root 1041 Jan 22 23:50 testuser.csr
-rw-r--r--. 1 root root 170 Jan 22 23:48 testuser.inf
-rw-r--r--. 1 root root 1675 Jan 22 23:48 testuser.key
[root@hp-microservergen8-01 testuser]# ipa cert-request testuser.csr --principal=testuser
Issuing CA: ipa
Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw==
Subject: CN=testuser,O=TESTRELM.TEST
Issuer: CN=Certificate Authority,O=TESTRELM.TEST
Not Before: Tue Jan 23 04:50:22 2018 UTC
Not After: Fri Jan 24 04:50:22 2020 UTC
Serial number: 11
Serial number (hex): 0xB
[root@hp-microservergen8-01 testuser]# rpm -q ipa-server
ipa-server-4.5.4-8.el7.x86_64
[root@hp-microservergen8-01 testuser]#
[root@hp-microservergen8-01 testuser]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@hp-microservergen8-01 testuser]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@hp-microservergen8-01 testuser]# kinit admin
Password for admin:
[root@hp-microservergen8-01 testuser]# ipa user-find testuser --all
--------------
1 user matched
--------------
dn: uid=testuser,cn=users,cn=accounts,dc=testrelm,dc=test
User login: testuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/testuser
GECOS: test user
Login shell: /bin/sh
Principal name: testuser
Principal alias: testuser
Email address: testuser
UID: 952800001
GID: 952800001
Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw==
Account disabled: False
Preserved user: False
Member of groups: ipausers
ipauniqueid: 865f2716-fff8-11e7-b7fd-a0481cb83924
mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=testrelm,dc=test
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux,
krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------
[root@hp-microservergen8-01 testuser]#
Thus on the basis of above observations, the issue mentioned in description and comment#14 is not observed, thus marking the status of this bug to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |