1455054 – ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1455054 - ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option

Summary: ipa-ca-install command installs CA on replica even if cert file is not specif...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-24 07:36 UTC by Mohammad Rizwan
Modified:	2020-11-30 14:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-30 14:15:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mohammad Rizwan 2017-05-24 07:36:04 UTC

Description of problem:
ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option. If executed command with non-existing file, invalid file etc, it doesn't through any error.

Version-Release number of selected component (if applicable):

[root@bkr-hv01-guest30 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.5.0-13.el7.x86_64
ipa-client-4.5.0-13.el7.x86_64
389-ds-base-1.3.6.1-14.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install replica on the system (ipa-replica-install -P admin - w Secret123)

2. Install CA with following scenario:

   a) ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=

   b) ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt #no file as abc.crt

   c) ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt  #abc.crt blank file

Actual results:

[root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records


[root@hp-bl420cgen8-01 pki]# cat abc.crt
-----BEGIN CERTIFICATE-----
sdnmsdkfbsdifbsdbasdsdSDDDasdmnd
-----END CERTIFICATE-----


[root@cisco-e160dp-01 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.txt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
                                                                                
[root@cisco-e160dp-01 ~]# cat abc.txt
afdjskfjhsfkhsfkjsfADDAaasd
sdkfjsfkjshfklsjhfsljdfhsdf
sdlfdlkjfdsalkjfhldsahflahf
lkjfsalfhdalfkhfdhlajfadfjd
[root@cisco-e160dp-01 ~]#

[root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@hp-bl420cgen8-01 pki]#
[root@hp-bl420cgen8-01 pki]# cat abc.crt #blank file
[root@hp-bl420cgen8-01 pki]#

[root@bkr-hv03-guest22 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=abc.crt   #no file as abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@bkr-hv03-guest22 ~]# ll
total 60
-rw-------. 1 root    root    20278 May 23 06:31 anaconda-ks.cfg
-rw-r--r--. 1 pkiuser pkiuser 10362 May 23 09:10 cacert.p12
-rw-r--r--. 1 root    root        4 May 23 06:30 NETBOOT_METHOD.TXT
-rw-------. 1 root    root    19724 May 23 06:31 original-ks.cfg
-rw-r--r--. 1 root    root        8 May 23 06:30 RECIPE.TXT

without a .crt file

[root@bkr-hv03-guest19 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123  --external-cert-file=
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@bkr-hv03-guest19 ~]#

                                                                           

Expected results:
It Should throw std error like Invalid certificate file or No certificate file is specified etc.

Additional info:

Comment 2 Petr Vobornik 2017-05-24 08:25:01 UTC

--external_cert_file option in ipa-ca-install is used for upgrading CA-less setup to setup with CA. 

In other cases, this option is ignored and thus probably misses validation. A bug but I'd say with lower priority.

Comment 3 Petr Vobornik 2017-05-26 10:54:53 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6985

Comment 6 Rob Crittenden 2019-02-18 19:50:48 UTC

I'm inclined to close this as not a bug.

This is the equivalent of setting it to nothing, which is the default anyway, so it is just a superfluous option. It is a no-op so I don't think we should throw an error.

Comment 7 Florence Blanc-Renaud 2019-06-19 07:41:20 UTC

RHEL-7.7 is already near the end of a Development Phase and development is being wrapped up. I am bulk-moving to RHEL 8 the Bugs which were already triaged, but to which we did not commit (without devel_ack) and we cannot keep them even as a stretch goal for RHEL-7.7.

If you believe this particular bug should be reconsidered for 7.7, please let us know.

Comment 10 Petr Čech 2020-11-30 14:15:37 UTC

This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team

Note You need to log in before you can comment on or make changes to this bug.