Bug 1478154 - getcert (ipa-getcert) ignores -X
Summary: getcert (ipa-getcert) ignores -X
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: certmonger
Version: 26
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-03 18:26 UTC by Michael Voetter
Modified: 2017-08-31 15:55 UTC (History)
11 users (show)

Fixed In Version: certmonger-0.79.4-1.fc26
Clone Of:
Environment:
Last Closed: 2017-08-31 15:55:48 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Michael Voetter 2017-08-03 18:26:02 UTC 
Description of problem:
The getcert (ipa-getcert) seems to ignore the -X option. It always requests for the main CA (ipa) instead of the specified sub-CA (vpn).


Version-Release number of selected component (if applicable):
Client:
  Fedora 26

  ipa --version
  VERSION: 4.4.4, API_VERSION: 2.215

  certmonger.x86_64                  0.79.3-1.fc26
  freeipa-client.x86_64              4.4.4-4.fc26

Server:
  CentOS Linux release 7.3.1611 (Core)

  ipa --version
  VERSION: 4.4.0, API_VERSION: 2.213

  certmonger.x86_64                   0.78.4-3.el7
  ipa-server.x86_64                   4.4.0-14.el7.centos.7

How reproducible:
Request a certificate for the host.

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caVPNhostCert -X vpn

Actual results:
status: CA_REJECTED
ca-error: Server at https://<ipa server fqdn>/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Principal 'host/<hostname>@<REALM>' is not permitted to use CA 'ipa' with profile 'caVPNhostCert' for certificate issuance.).

...

CA: IPA
issuer: 


Expected results:
status: MONITORING

...

CA: IPA
issuer: CN=VPN CA,O=<REALM>


Additional info:
The same command works on CentOS Linux release 7.3.1611 (Core) clients. 

It is also possible to issue a certificate for the "rejected principal" in the web ui of the ipa server where I can select the correct sub-CA.
Comment 1 Rob Crittenden 2017-08-04 20:31:11 UTC 
I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64)

On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN.

I requested a cert similar to the reporter, just using the standard profile:

ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn

And the subject is correct.

I did the same in an enrolled Fedora 26 client and the subject is from the primary CA.

The problem is:

[Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca

The correct option is cacn.

AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21

A patch that fixes this is in RHEL but apparently was never merged upstream.
Comment 2 Rob Crittenden 2017-08-08 00:37:44 UTC 
Fixed upstream:

https://pagure.io/certmonger/c/e3fb587c5911efbef1d1bb8738f109886a8a11a4?branch=master
Comment 3 Rob Crittenden 2017-08-08 14:38:32 UTC 
Submitted to updates-testing, https://bodhi.fedoraproject.org/updates/certmonger-0.79.4-1.fc26
Note You need to log in before you can comment on or make changes to this bug.