Bug 1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA [NEEDINFO]
Summary: TypeError in renew_ca_cert prevents from swiching back to self-signed CA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
: 1466786 (view as bug list)
Depends On:
Blocks: 1489815
TreeView+ depends on / blocked
Reported: 2017-08-29 11:35 UTC by Petr Vobornik
Modified: 2018-04-10 16:47 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-21.el7.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1489815 (view as bug list)
Last Closed: 2018-04-10 16:46:13 UTC
Target Upstream Version:
slaznick: needinfo? (cparadka)

Attachments (Terms of Use)
verification_steps (5.44 KB, text/plain)
2017-12-05 18:24 UTC, Michal Reznik
no flags Details

System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 7302 0 None None None 2018-02-06 16:35:08 UTC
Red Hat Product Errata RHBA-2018:0918 0 None None None 2018-04-10 16:47:24 UTC

Description Petr Vobornik 2017-08-29 11:35:54 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/7106

Steps to reproduce:
1. install FreeIPA server with self-signed CA certificate (default)
2. use ipa-cacert-manage to switch to CA certificate signed by external CA
3. use ipa-cacert-manage to to self-signed CA certificate

Importing the renewed CA certificate, please wait        
CA certificate successfully renewed                      
The ipa-cacert-manage command was successful             

Renewing CA certificate, please wait                     
Error resubmitting certmonger request '20170816133559', please check the request manually                          
The ipa-cacert-manage command failed.                    

From journalctl -u certmonger:
Traceback (most recent call last): 
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 218, in <module>
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in main
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main
  db.trust_root_cert(ca_nick, 'C' + ca_flags)                                                                                                       
TypeError: cannot concatenate 'str' and 'TrustFlags' objects

Comment 2 Petr Vobornik 2017-08-29 11:36:07 UTC
Upstream ticket:

Comment 5 Standa Laznicka 2017-08-30 11:00:46 UTC
Fixed upstream

Comment 6 Petr Vobornik 2017-09-01 21:07:25 UTC
*** Bug 1466786 has been marked as a duplicate of this bug. ***

Comment 7 Standa Laznicka 2017-09-08 10:39:22 UTC
Fixed upstream

Comment 10 Michal Reznik 2017-12-05 18:23:22 UTC
Verified on ipa-server-4.5.4-6.el7.x86_64.

Comment 11 Michal Reznik 2017-12-05 18:24:30 UTC
Created attachment 1363306 [details]

Comment 18 errata-xmlrpc 2018-04-10 16:46:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.