First Last Prev Next    This bug is not in your last search results.
Bug 1478154 - getcert (ipa-getcert) ignores -X
getcert (ipa-getcert) ignores -X
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: certmonger (Show other bugs)
26
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-03 14:26 EDT by Michael Voetter
Modified: 2017-08-31 11:55 EDT (History)
11 users (show)

See Also:
Fixed In Version: certmonger-0.79.4-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-31 11:55:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Michael Voetter 2017-08-03 14:26:02 EDT 
Description of problem:
The getcert (ipa-getcert) seems to ignore the -X option. It always requests for the main CA (ipa) instead of the specified sub-CA (vpn).


Version-Release number of selected component (if applicable):
Client:
  Fedora 26

  ipa --version
  VERSION: 4.4.4, API_VERSION: 2.215

  certmonger.x86_64                  0.79.3-1.fc26
  freeipa-client.x86_64              4.4.4-4.fc26

Server:
  CentOS Linux release 7.3.1611 (Core)

  ipa --version
  VERSION: 4.4.0, API_VERSION: 2.213

  certmonger.x86_64                   0.78.4-3.el7
  ipa-server.x86_64                   4.4.0-14.el7.centos.7

How reproducible:
Request a certificate for the host.

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caVPNhostCert -X vpn

Actual results:
status: CA_REJECTED
ca-error: Server at https://<ipa server fqdn>/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Principal 'host/<hostname>@<REALM>' is not permitted to use CA 'ipa' with profile 'caVPNhostCert' for certificate issuance.).

...

CA: IPA
issuer: 


Expected results:
status: MONITORING

...

CA: IPA
issuer: CN=VPN CA,O=<REALM>


Additional info:
The same command works on CentOS Linux release 7.3.1611 (Core) clients. 

It is also possible to issue a certificate for the "rejected principal" in the web ui of the ipa server where I can select the correct sub-CA.
Comment 1 Rob Crittenden 2017-08-04 16:31:11 EDT 
I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64)

On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN.

I requested a cert similar to the reporter, just using the standard profile:

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn

And the subject is correct.

I did the same in an enrolled Fedora 26 client and the subject is from the primary CA.

The problem is:

[Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca

The correct option is cacn.

AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21

A patch that fixes this is in RHEL but apparently was never merged upstream.
Comment 3 Rob Crittenden 2017-08-08 10:38:32 EDT 
Submitted to updates-testing, https://bodhi.fedoraproject.org/updates/certmonger-0.79.4-1.fc26
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.