1512952 – cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1512952 - cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

Summary: cert renewal is failing when ipa ca cert is renewed from self-signed > extern...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1514041
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-14 13:53 UTC by Mohammad Rizwan
Modified:	2020-03-31 19:55 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.6.6-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-31 19:55:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1083	0	None	None	None	2020-03-31 19:55:38 UTC

Description Mohammad Rizwan 2017-11-14 13:53:12 UTC

Description of problem:
cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-22.el7_4.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipa master with self-signed ca
2. Use ipa-cacert-update with --external-ca and sign given CSR with External CA
3. Again convert external CA to self-signed CA
4. forward the date to the grace period of RA agent cert.
5. check the certificate status i.e getcert list


Actual results:
status': CA_UNREACHABLE
ca-error: Error 7 connecting to http://master.testrelm.test:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.

Expected results:
certs should be renewed

Additional info:
Tried on 7.3 and found same behaviour.

Comment 2 Michal Reznik 2017-11-15 08:43:08 UTC

Was able to reproduce the issue too. Found this after "ipa-cacert-manage renew --self-signed" in the journal:

Nov 14 12:40:31 master.testrelm.test server[15039]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[before_stop]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[stop]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[configure_stop]
Nov 14 12:40:32 master.testrelm.test systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
Nov 14 12:40:32 master.testrelm.test stop_pkicad[15029]: Stopped pki_tomcatd
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Updating entry cn=b7bf6750-22ab-42ae-bb5c-8b430cfd0f50,ou=authorities,ou=ca,o=ipaca
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Updating CS.cfg
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Traceback (most recent call last):
                                                                       File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 223, in <module>
                                                                         main()
                                                                       File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 217, in main
                                                                         _main()
                                                                       File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main
                                                                         ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
                                                                     KeyError: 'caSigningCert cert-pki-ca'
Nov 14 12:40:35 master.testrelm.test certmonger[15098]: Certificate named "caSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.

Comment 3 Florence Blanc-Renaud 2017-11-16 14:13:21 UTC

The issue seems linked to certutil behavior which has changed.

The script /usr/libexec/ipa/certmonger/renew_ca_cert is performing the following steps:
1- removes the CA certs from /etc/pki/pki-tomcat/alias
2- retrieves the CA certs from LDAP (below cn=certificates,cn=ipa,cn=etc,$BASEDN)
3- adds the certs obtained in 2 to /etc/pki/pki-tomcat/alias
4- modifies the trust flags of the external CA if 'caSigningCert cert-pki-ca' was externally signed.

The bug happens in the 4th step. The script is using certutil -O -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' to retrieve the cert chain of caSigningCert cert-pki-ca, and assumes that the external CA is the before-last cert (if it exists).

With nss-tools 3.28.4-1.2.el7_3, the output is the following:
# certutil -O -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

=> no before-last cert, code does not executed. This is expected as the cert is self-signed, meaning there is no ext CA to trust.

But with nss-tools 3.28.4-15.el7_4, the output is different:
# certutil -O -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]

  "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

    "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

Note that the cert is self-signed, so I would be expecting the output to contain only caSigningCert cert-pki-ca.
With this output, the code assumes 'caSigningCert cert-pki-ca' is the external CA and falls in the issue.

Comment 4 Florence Blanc-Renaud 2017-11-16 14:45:07 UTC

Opened https://bugzilla.redhat.com/show_bug.cgi?id=1514041 against nss component.

Comment 5 Rob Crittenden 2018-02-13 18:44:55 UTC

Makes me wonder if existing certs should be removed before installing the new CA. That would resolve relying on behavior of the NSS tool and I don't think this would cause any chaining issues as the private key wouldn't change.

Comment 8 Petr Čech 2019-04-26 08:45:20 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7926

Comment 9 Florence Blanc-Renaud 2019-05-09 14:20:40 UTC

Note: issue is still present with ipa-server-4.6.5-7.el7.x86_64 (RHEL 7.7).

Comment 10 Rob Crittenden 2019-05-24 21:20:38 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/64d187e56e02f3a400b2e6044e6ad670521160c8

Comment 11 Florence Blanc-Renaud 2019-05-27 08:45:48 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/9b3b85914dcf37dc234a5625f2f18e864bc73038

ipa-4-6:
https://pagure.io/freeipa/c/67402701e6d065929aa0fb1804171a2133cfaaec

Comment 12 Florence Blanc-Renaud 2019-05-27 11:25:47 UTC

Test already exists upstream (test_integration/test_external_ca.py::TestSelfExternalSelf) and downstrean (ipa-pytests/src/ca_cert_renewal/).

Comment 15 Mohammad Rizwan 2019-11-22 10:31:36 UTC

Version:
ipa-server-4.6.6-9.el7.x86_64
certmonger-0.78.4-12.el7.x86_64

Automation passed. Logs provided.

Based on above observations marking the bug as verified.

Comment 17 errata-xmlrpc 2020-03-31 19:55:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083

Note You need to log in before you can comment on or make changes to this bug.