Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Cloned from upstream: https://pagure.io/freeipa/issue/7232> When using an externally-signed IPA CA and wishing to change the
> external root chaining. If you install a new external CA
> cert which has the same subject name, but a different public key. A
> new IPA CA CSR has been generated and has been signed by the new external CA.
> However, when you attempt to change the chaining ('ipa-cacert-manage
> renew --external-cert-file=<new IPA CA cert> --external-cert-file=<new root
> CA cert>'), an error is returned indicating a problem with subject key
> comparison -->
```
ipa: DEBUG: stderr=ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x540d368>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57069456
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 117, in run
rc = self.renew()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 165, in renew
return self.renew_external_step_2(ca, cert)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 282, in renew_external_step_2
EMPTY_TRUST_FLAGS)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 367, in put_ca_cert_nss
config_ipa, config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert
config_ipa=config_ipa, config_compat=config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 182, in update_ca_cert
raise ValueError("subject public key info mismatch")
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: ValueError: subject public key info mismatch
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: subject public key info mismatch
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.
```
> In certstore.py, the public key of the new cert is compared to same of the
> current cert stored in 389 -->
```
def update_ca_cert(ldap, base_dn, dercert, trusted=None, ext_key_usage=None,
config_ipa=False, config_compat=False):
"""
Update existing entry for a CA certificate in the certificate store.
"""
subject, issuer_serial, public_key = _parse_cert(dercert)
filter = ldap.make_filter({'ipaCertSubject': subject})
result, _truncated = ldap.find_entries(
base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
base_dn),
filter=filter,
attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial',
'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
'ipaConfigString', 'cACertificate;binary'])
entry = result[0]
dn = entry.dn
for old_cert in entry['cACertificate;binary']:
# Check if we are adding a new cert
if old_cert == dercert:
break
else:
# We are adding a new cert, validate it
if entry.single_value['ipaCertSubject'].lower() != subject.lower():
raise ValueError("subject name mismatch")
if entry.single_value['ipaPublicKey'] != public_key:
raise ValueError("subject public key info mismatch")
entry['ipaCertIssuerSerial'].append(issuer_serial)
entry['cACertificate;binary'].append(dercert)
```
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker a long time ago (see link to the upstream ticket above), but it was unfortunately not given priority either in the upstream project, nor in Red Hat Enterprise Linux.
Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.
To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Pagure ticket to expedite the solution.