Bug 1478154 - getcert (ipa-getcert) ignores -X
getcert (ipa-getcert) ignores -X
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: certmonger (Show other bugs)
26
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-03 14:26 EDT by Michael Voetter
Modified: 2017-08-31 11:55 EDT (History)
11 users (show)

See Also:
Fixed In Version: certmonger-0.79.4-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-31 11:55:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Voetter 2017-08-03 14:26:02 EDT
Description of problem:
The getcert (ipa-getcert) seems to ignore the -X option. It always requests for the main CA (ipa) instead of the specified sub-CA (vpn).


Version-Release number of selected component (if applicable):
Client:
  Fedora 26

  ipa --version
  VERSION: 4.4.4, API_VERSION: 2.215

  certmonger.x86_64                  0.79.3-1.fc26
  freeipa-client.x86_64              4.4.4-4.fc26

Server:
  CentOS Linux release 7.3.1611 (Core)

  ipa --version
  VERSION: 4.4.0, API_VERSION: 2.213

  certmonger.x86_64                   0.78.4-3.el7
  ipa-server.x86_64                   4.4.0-14.el7.centos.7

How reproducible:
Request a certificate for the host.

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caVPNhostCert -X vpn

Actual results:
status: CA_REJECTED
ca-error: Server at https://<ipa server fqdn>/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Principal 'host/<hostname>@<REALM>' is not permitted to use CA 'ipa' with profile 'caVPNhostCert' for certificate issuance.).

...

CA: IPA
issuer: 


Expected results:
status: MONITORING

...

CA: IPA
issuer: CN=VPN CA,O=<REALM>


Additional info:
The same command works on CentOS Linux release 7.3.1611 (Core) clients. 

It is also possible to issue a certificate for the "rejected principal" in the web ui of the ipa server where I can select the correct sub-CA.
Comment 1 Rob Crittenden 2017-08-04 16:31:11 EDT
I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64)

On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN.

I requested a cert similar to the reporter, just using the standard profile:

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn

And the subject is correct.

I did the same in an enrolled Fedora 26 client and the subject is from the primary CA.

The problem is:

[Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca

The correct option is cacn.

AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21

A patch that fixes this is in RHEL but apparently was never merged upstream.
Comment 3 Rob Crittenden 2017-08-08 10:38:32 EDT
Submitted to updates-testing, https://bodhi.fedoraproject.org/updates/certmonger-0.79.4-1.fc26

Note You need to log in before you can comment on or make changes to this bug.