Bug 1466786 - ipa-cacert-manage cannot change external to self-signed ca cert
ipa-cacert-manage cannot change external to self-signed ca cert
Status: CLOSED DUPLICATE of bug 1486283
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-30 08:50 EDT by Mohammad Rizwan
Modified: 2017-09-01 17:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-01 17:07:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/message (2.70 KB, text/plain)
2017-06-30 08:52 EDT, Mohammad Rizwan
no flags Details

  None (edit)
Description Mohammad Rizwan 2017-06-30 08:50:22 EDT
Description of problem:
I'm trying to change the ca cert from external signed to self-signed. But its failing and error can be shown as below:

[root@ipa-master ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20170630120302', please check the request manually
The ipa-cacert-manage command failed.

[root@ipa-master ~]#  getcert list -i 20170630120302
Number of certificates and requests being tracked: 9.
Request ID '20170630120302':
        status: MONITORING
        ca-error: Updated certificate not available
        stuck: no
        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=External CA,O=EXTERNAL
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2017-09-30 12:00:32 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-20.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA with externally signed CA cert

ipa-server-install --ip-address ${IP} -r ${RELM} -p ${PASSWORD} -a ${PASSWORD} --setup-dns --forwarder ${FORWARDER} -U --external-ca

2.  Setup nssdb for external CA

    mkdir nssdb

    echo Secret.123 > nssdb/password.txt

    certutil -N -d nssdb -f nssdb/password.txt

3. Setup external ca

    openssl rand -out nssdb/noise.bin 2048

    ROOTCA_SKID="0x`openssl rand -hex 20`"

    echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" |  certutil -S  -d nssdb  -f  nssdb/password.txt  -z nssdb/noise.bin  -n "External CA"  -s "CN=External CA,O=EXTERNAL"  -x  -t "CTu,CTu,CTu"  -m $RANDOM -2  --extSKID  --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical

4.  export external CA chain
    
    certutil -L -d nssdb -n "External CA" -a > /tmp/external.crt

5. Sign the ipa.csr from external ca

    SUBCA_SKID="0x`openssl rand -hex 20`"

    SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"

    echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" |  certutil -C  -d nssdb  -f nssdb/password.txt  -m $RANDOM  -a -i /root/ipa.csr  -o /tmp/ca_signing.crt  -c "External CA"  -2 -3  --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical  --extAIA  --extSKID

6. Start Install and get Certificate Signing Request for externally signed CA

    ipa-server-install --ip-address ${IP} -r ${RELM} -p ${PASSWORD} -a ${PASSWORD} --setup-dns --forwarder ${FORWARDER} -U --external_cert_file=/tmp/ca_signing.crt  --external_ca_file=/tmp/external.crt

7. Check cert status for certs:
    
    getcert list | egrep "status|expires|Request|subject|ca-error"

8. renew the ca cert and change it to self-signed
  
    ipa-cacert-manage renew --self-signed

    
Actual results:

CA cert renewal is failing.


Expected results:
CA should renew successfully and changed to self-signed

Additional info:
error in /var/log/message  is attached.
Comment 2 Mohammad Rizwan 2017-06-30 08:52 EDT
Created attachment 1293218 [details]
/var/log/message
Comment 3 Petr Vobornik 2017-07-28 11:59:30 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/7075
Comment 5 Petr Vobornik 2017-09-01 17:07:25 EDT

*** This bug has been marked as a duplicate of bug 1486283 ***

Note You need to log in before you can comment on or make changes to this bug.