Bug 1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA [NEEDINFO]
Summary: TypeError in renew_ca_cert prevents from swiching back to self-signed CA
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
: 1466786 (view as bug list)
Depends On:
Blocks: 1489815
TreeView+ depends on / blocked
 
Reported: 2017-08-29 11:35 UTC by Petr Vobornik
Modified: 2018-04-10 16:47 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-21.el7.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1489815 (view as bug list)
Environment:
Last Closed: 2018-04-10 16:46:13 UTC
Target Upstream Version:
slaznick: needinfo? (cparadka)


Attachments (Terms of Use)
verification_steps (5.44 KB, text/plain)
2017-12-05 18:24 UTC, Michal Reznik
no flags Details


Links
System ID Priority Status Summary Last Updated
Fedora Pagure freeipa issue 7302 None None None 2018-02-06 16:35:08 UTC
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 16:47:24 UTC

Description Petr Vobornik 2017-08-29 11:35:54 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/7106

Steps to reproduce:
1. install FreeIPA server with self-signed CA certificate (default)
2. use ipa-cacert-manage to switch to CA certificate signed by external CA
3. use ipa-cacert-manage to to self-signed CA certificate

Expected:
Importing the renewed CA certificate, please wait        
CA certificate successfully renewed                      
The ipa-cacert-manage command was successful             

Got:
Renewing CA certificate, please wait                     
Error resubmitting certmonger request '20170816133559', please check the request manually                          
The ipa-cacert-manage command failed.                    

From journalctl -u certmonger:
```
Traceback (most recent call last): 
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 218, in <module>
  main()
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in main
  _main()
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main
  db.trust_root_cert(ca_nick, 'C' + ca_flags)                                                                                                       
TypeError: cannot concatenate 'str' and 'TrustFlags' objects
```

Comment 2 Petr Vobornik 2017-08-29 11:36:07 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7106

Comment 5 Standa Laznicka 2017-08-30 11:00:46 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/ee5345ac05fd1e133243ffb61c25615840f7bd87

Comment 6 Petr Vobornik 2017-09-01 21:07:25 UTC
*** Bug 1466786 has been marked as a duplicate of this bug. ***

Comment 7 Standa Laznicka 2017-09-08 10:39:22 UTC
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/85d5611119b9e3d616589d2a8e7447055184592b

Comment 10 Michal Reznik 2017-12-05 18:23:22 UTC
Verified on ipa-server-4.5.4-6.el7.x86_64.

Comment 11 Michal Reznik 2017-12-05 18:24:30 UTC
Created attachment 1363306 [details]
verification_steps

Comment 18 errata-xmlrpc 2018-04-10 16:46:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918


Note You need to log in before you can comment on or make changes to this bug.