Hide Forgot
Description of problem: ipa cert-request command fails to generate certificate using CSR generated by openssl. [root@master1 ~]# openssl req -new -sha256 -key testuser1.key -out testuser1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PUNE Organization Name (eg, company) [Default Company Ltd]:RED HAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:testuser1 Email Address []:testuser1 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@master1 ~]# ipa cert-request testuser1.csr --principal=testuser1 ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses Version-Release number of selected component (if applicable): ipa-server-4.5.0-11.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Generate CSR using openssl command 2. Request certificate for user using ipa cert-request command Actual results: Error as above Expected results: Certificate generated by IPA for user.
Sounds like https://pagure.io/freeipa/issue/5919 for which a fix was pushed to master recently. Felipe, can you take a look on this BZ whether it has the same root cause? if yes we will backport the fix to RHEL ASAP.
Hi Abhijeet, I followed the steps that you provided, but I got the error [1] when running the cert-request command, am I missing something? [1] [root@kvm-02-guest08 1451576]# ipa cert-request testuser1.csr --principal=testuser1 ipa: ERROR: The principal for this request doesn't exist.
Felipe, you have you have an IPA server with realm "TESTRELM.TEST" and also create the user 'testuser1'. Then it will find the principal and you should be able to reproduce this issue.
Fraser: thank you for helping, that is what was missing. Martin: Yes, it's the same root cause. The PR for https://pagure.io/freeipa/issue/5919 fix this.
Using this as a workaround - Let me know if it is correct [root@ipaserver01 ~]# cat testuser1.cnf [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = testuser1 [ exts ] subjectAltName=@alt_section [alt_section] email=testuser1 [root@ipaserver01 ~]# openssl req -new -newkey rsa:2048 -keyout testuser1.key -sha256 -nodes -out testuser1.csr -config testuser1.cnf Generating a 2048 bit RSA private key .....+++ .........................+++ writing new private key to 'testuser1.key' ----- [root@ipaserver01 ~]# openssl req -text -noout -in testuser1.csr Certificate Request: Data: Version: 0 (0x0) Subject: CN=testuser1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:58:e8:fd:25:cc:61:79:21:a1:a6:b7:6b:ae: 39:78:0d:e7:d2:d7:8b:84:a0:89:d5:4e:dd:77:e9: a8:cb:d6:3e:37:db:59:2a:90:6b:94:2e:e3:78:88: 34:0c:32:87:f3:69:10:28:ea:6b:e5:76:38:e0:16: 48:d7:22:b8:80:a7:15:e9:42:ac:31:bf:2e:7d:4a: eb:33:bf:de:a5:eb:f0:d1:62:8e:34:b3:10:1e:d1: 9d:b1:0d:0a:f5:df:d3:b5:d4:87:f6:25:8e:9d:5f: 80:67:7b:c7:31:3e:39:78:de:a8:34:8c:50:ab:a2: 86:1c:94:39:85:6b:e2:aa:19:ce:61:e5:c9:2a:17: 14:df:58:2b:04:7d:41:de:6b:95:25:4d:0e:a3:6c: 2e:cb:33:8c:56:a1:da:38:b4:09:ed:04:f8:9a:d9: 13:8d:b6:c7:eb:8c:f0:fd:1d:64:ae:80:7a:da:4c: 1d:f4:a5:82:b9:51:4a:cc:90:8d:d9:d8:79:b2:4c: 34:75:21:47:8c:e5:9c:5a:17:60:88:64:27:d4:da: db:37:36:52:8d:61:af:0f:68:3a:69:3e:12:21:fc: 97:e7:a7:27:1b:53:20:a1:da:e0:56:8b:e1:1c:f9: 92:46:90:a6:4c:88:88:bc:be:66:a4:f9:88:96:e4: 60:9f Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: email:testuser1 Signature Algorithm: sha256WithRSAEncryption af:e3:a2:b1:bb:6e:7c:ce:53:f1:ec:5a:66:5f:0d:fe:aa:94: 9e:f0:4f:35:8e:1b:86:bb:f9:89:50:22:6a:9a:fc:c4:bc:3d: 66:98:36:fb:34:b4:81:62:08:1a:2f:32:cd:6e:9b:2a:fd:ac: 75:27:5c:40:03:67:6b:15:ce:06:ef:20:84:d1:f1:40:61:53: 08:c6:8d:ad:fd:5a:1f:5b:9e:04:5a:46:c1:42:4b:87:e7:07: a1:28:07:f7:87:c0:7e:64:ab:b1:a8:c7:8b:16:be:2c:e5:48: 0a:8d:b9:35:c1:05:0f:4b:55:83:7c:7f:7e:4c:f7:5e:46:35: 1c:33:23:2d:61:0b:49:b0:d7:f1:ee:50:01:71:b3:32:23:fc: 20:7b:ee:87:a0:b9:3e:2e:ab:81:02:d4:e1:f4:b4:c8:c7:81: a7:e8:df:2d:44:b1:b6:d5:fc:d2:aa:b1:82:10:0e:24:40:9c: ba:09:52:d8:7a:68:97:84:db:50:4f:87:c8:77:98:a8:68:77: ce:7a:68:bc:dd:34:f9:69:89:55:bb:84:cd:f4:93:45:98:f5: f8:4c:11:c8:71:92:16:7f:9a:89:40:6b:4a:23:fe:c0:60:eb: 1f:31:25:73:5c:87:0d:c0:3f:3b:19:b9:fb:10:27:0b:69:66: d6:4b:6f:ca [root@ipaserver01 ~]# echo Secret123 | kinit admin Password for admin: [root@ipaserver01 ~]# echo Password1 | ipa user-add --first testuser1 --last testuser1 testuser1 --password ---------------------- Added user "testuser1" ---------------------- User login: testuser1 First name: testuser1 Last name: testuser1 Full name: testuser1 testuser1 Display name: testuser1 testuser1 Initials: tt Home directory: /home/testuser1 GECOS: testuser1 testuser1 Login shell: /bin/sh Principal name: testuser1 Principal alias: testuser1 Email address: testuser1 UID: 937000001 GID: 937000001 Password: True Member of groups: ipausers Kerberos keys available: True [root@ipaserver01 ~]# ipa cert-request --principal=testuser1 testuser1.csr Issuing CA: ipa Certificate: MIIEMzCCAxugAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA4MDkzODMyWhcNMTkwNjA5MDkzODMyWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WOj9JcxheSGhprdrrjl4DefS14uEoInVTt136ajL1j4321kqkGuULuN4iDQMMofzaRAo6mvldjjgFkjXIriApxXpQqwxvy59Suszv96l6/DRYo40sxAe0Z2xDQr139O11If2JY6dX4Bne8cxPjl43qg0jFCrooYclDmFa+KqGc5h5ckqFxTfWCsEfUHea5UlTQ6jbC7LM4xWodo4tAntBPia2RONtsfrjPD9HWSugHraTB30pYK5UUrMkI3Z2HmyTDR1IUeM5ZxaF2CIZCfU2ts3NlKNYa8PaDppPhIh/JfnpycbUyCh2uBWi+Ec+ZJGkKZMiIi8vmak+YiW5GCfAgMBAAGjggFSMIIBTjAfBgNVHSMEGDAWgBShPgrfTF777ZnmsW0Mb+jiux7EAzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUsapm5e3WZ8JUjHBs4pAZcwhGeD0wIgYDVR0RBBswGYEXdGVzdHVzZXIxQHRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBACkiPHSPPZYR8hnM/sPJpl6R2hqy0q3yLGQfcT9+T
Hi, This is my first question, please be patience. The workaround seems not working, My CSR says: ---------- 8< ----------- 8< ----------- Common Name: jnovo Subject Alternative Names: jnovo Organization: MiCasa Organization Unit: MiCasa Infraestructuras Locality: Madrid State: Comunidad Autonoma de Madrid Country: ES Email: jnovo ---------- >8 ----------- >8 ----------- [root@freeipa ipa-server]# ipa cert-request --principal=jnovo jnovo.csr ipa: ERROR: an internal error has occurred [root@freeipa ipa-server]#
This may not be related to the original issue but you'd need to look in the Apache error log for more details on the failure, /var/log/httpd/error_log on the IPA master.
IPA version: ipa-server-4.5.4-7.el7.x86_64 Tested the bug with following observations: 1. Setup IPA master at latest version ( in my case RHEL 7.5) 2. Create a test user (in my case user named 'testuser') 3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser') # cd /root/testuser 4. Create a new file named 'testuser.inf' for key creation with following contents. [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "testuser" [ exts ] subjectAltName=email:testuser 5. Create key file using the inf file created in step4. # openssl genrsa -out testuser.key 2048 6. Create csr using the key file created in step5. # openssl req -new -sha256 -key testuser.key -out testuser.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PUNE Organization Name (eg, company) [Default Company Ltd]:Red Hat Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:testuser Email Address []:testuser Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@auto-hv-01-guest03 testuser]# ls -l total 12 -rw-r--r--. 1 root root 1041 Dec 19 06:24 testuser.csr -rw-r--r--. 1 root root 170 Dec 19 06:19 testuser.inf -rw-r--r--. 1 root root 1679 Dec 19 06:20 testuser.key 7. Now run ipa cert-request using csr generated in step6. # ipa cert-request testuser.csr --principal=testuser ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses From the above observation in step7, we are still seeing the original issue mentioned at Comment#0 (Description), thus marking status to "ASSIGNED"
I opened https://github.com/freeipa/freeipa/pull/1450 to backport https://github.com/freeipa/freeipa/pull/736/commits/6eb1169e3eab36678a2640718a7204a72247be91 to 4.5.
IPA-Server-Version: ipa-server-4.5.4-8.el7.x86_64 Tested the bug on the basis of below observations: Tested the bug with following observations: 1. Setup IPA master at latest version ( in my case RHEL 7.5- ipa-server-4.5.4-8.el7.x86_64) 2. Create a test user (in my case user named 'testuser') # ipa user-add --first=test --last=user testuser 3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser') # cd /root/testuser 4. Create a new file named 'testuser.inf' for key creation with following contents. [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "testuser" [ exts ] subjectAltName=email:testuser 5. Create key file using the inf file created in step4. # openssl genrsa -out testuser.key 2048 6. Create csr using the key file created in step5. # openssl req -new -sha256 -key testuser.key -out testuser.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PUNE Organization Name (eg, company) [Default Company Ltd]:Red Hat Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:testuser Email Address []:testuser Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@hp-microservergen8-01 testuser]# ls -l total 12 -rw-r--r--. 1 root root 1041 Jan 22 23:50 testuser.csr -rw-r--r--. 1 root root 170 Jan 22 23:48 testuser.inf -rw-r--r--. 1 root root 1675 Jan 22 23:48 testuser.key [root@hp-microservergen8-01 testuser]# ipa cert-request testuser.csr --principal=testuser Issuing CA: ipa Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw== Subject: CN=testuser,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Tue Jan 23 04:50:22 2018 UTC Not After: Fri Jan 24 04:50:22 2020 UTC Serial number: 11 Serial number (hex): 0xB [root@hp-microservergen8-01 testuser]# rpm -q ipa-server ipa-server-4.5.4-8.el7.x86_64 [root@hp-microservergen8-01 testuser]# [root@hp-microservergen8-01 testuser]# ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@hp-microservergen8-01 testuser]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@hp-microservergen8-01 testuser]# kinit admin Password for admin: [root@hp-microservergen8-01 testuser]# ipa user-find testuser --all -------------- 1 user matched -------------- dn: uid=testuser,cn=users,cn=accounts,dc=testrelm,dc=test User login: testuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/testuser GECOS: test user Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 952800001 GID: 952800001 Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw== Account disabled: False Preserved user: False Member of groups: ipausers ipauniqueid: 865f2716-fff8-11e7-b7fd-a0481cb83924 mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=testrelm,dc=test objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- [root@hp-microservergen8-01 testuser]# Thus on the basis of above observations, the issue mentioned in description and comment#14 is not observed, thus marking the status of this bug to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918