Red Hat Bugzilla – Bug 1478154
getcert (ipa-getcert) ignores -X
Last modified: 2017-08-31 11:55:48 EDT
Description of problem:
The getcert (ipa-getcert) seems to ignore the -X option. It always requests for the main CA (ipa) instead of the specified sub-CA (vpn).
Version-Release number of selected component (if applicable):
VERSION: 4.4.4, API_VERSION: 2.215
CentOS Linux release 7.3.1611 (Core)
VERSION: 4.4.0, API_VERSION: 2.213
Request a certificate for the host.
ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caVPNhostCert -X vpn
ca-error: Server at https://<ipa server fqdn>/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Principal 'host/<hostname>@<REALM>' is not permitted to use CA 'ipa' with profile 'caVPNhostCert' for certificate issuance.).
issuer: CN=VPN CA,O=<REALM>
The same command works on CentOS Linux release 7.3.1611 (Core) clients.
It is also possible to issue a certificate for the "rejected principal" in the web ui of the ipa server where I can select the correct sub-CA.
I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64)
On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN.
I requested a cert similar to the reporter, just using the standard profile:
ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn
And the subject is correct.
I did the same in an enrolled Fedora 26 client and the subject is from the primary CA.
The problem is:
[Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca
The correct option is cacn.
AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21
A patch that fixes this is in RHEL but apparently was never merged upstream.
Submitted to updates-testing, https://bodhi.fedoraproject.org/updates/certmonger-0.79.4-1.fc26