Bug 1544470 - cn=cacert could show expired certificate
Summary: cn=cacert could show expired certificate
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Marc Muehlfeld
: 1710235 (view as bug list)
Depends On: 1576720
Blocks: 1710435 1713200
TreeView+ depends on / blocked
Reported: 2018-02-12 15:28 UTC by German Parente
Modified: 2021-06-10 14:34 UTC (History)
13 users (show)

Fixed In Version: ipa-4.6.6-1.el7
Doc Type: Bug Fix
Doc Text:
.IdM now correctly updates the certificate record in the `cn=CAcert,cn=ipa,cn=etc,<base_DN>` entry Previously, after renewing the Identity Management (IdM) certificate authority (CA) certificate or modifying the CA certificate chain, IdM did not update the certificate record stored in the `cn=CAcert,cn=ipa,cn=etc,<base_DN>` entry. As a consequence, installations of IdM clients on RHEL 6 failed. With this update, IdM now updates the certificate record in `cn=CAcert,cn=ipa,cn=etc,<base_DN>`. As a result, installing IdM on RHEL 6 now succeeds after the administrator renews the CA certificate or updates the certificate chain on the IdM CA.
Clone Of:
Last Closed: 2020-03-31 19:55:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1083 0 None None None 2020-03-31 19:55:38 UTC

Description German Parente 2018-02-12 15:28:37 UTC
Description of problem:

this bug is related to 

 rhel6 ipa-client fails to retrieve right CA certificates, particularly when external CA installed

When installing a RHEL6 client, ipa-client-install is retrieving the certificate from ldap. In the case of RHEL6, the certificate is taken from:

    dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)

it has happened that if the CA was expired and re-newed it (in the customer case was external CA), this entry is not updated and only the ones at "cn=certificates".

It could be interesting to replace the usercertificate in this entry so as the certificate retrieved in case of RHEL6 client will not show as expired one.

In the scenario where we have had this, the customer was using external CA. I don't have an exact reproducer but as we have seen that the CA cert in cn=cacert was still expired, we have agreed to report this new bug.

Version-Release number of selected component (if applicable): master 7.4 (latest) / client 6.9 (latest).

Comment 2 Rob Crittenden 2018-02-16 21:03:54 UTC
ipaConfigString needs to have compatCA set in order for cn=cacert to be updated. Can you see if that was set?

Comment 4 Rob Crittenden 2018-03-06 18:49:30 UTC
Ok, that's why it isn't being updated then.

It should be added by ipa-cacert-manage AFAICT.

Can you describe their environment more? Perhaps we can reproduce it here. Particularly, where did they renew the external CA and how did they update it in IPA?

Comment 10 fbarreto 2018-05-02 17:58:13 UTC
Converting it to a doc bug.

Comment 13 Rob Crittenden 2018-06-01 17:49:41 UTC
I'm going to pull this back into dev for more investigation.

We used to store a single CA certificate in CN=CAcert entry but this was moved to the cn=certificates container to better support multiple certificates and chains.

The compat entry is for older clients.

ipa-cacert-manage install/renew should update CN=CAcert when a new CA is installed assuming that ipaConfigEntry in the cn=certificates CA entry has compatCA set.

In a typical install with an IPA CA the ipaConfigEntry for the CA is set to ipaCA and compatCA in ipaserver/install/dsinstance.py::__upload_ca_cert() in the call to 

compatCA is removed (and I'm not sure why) later in the installation in ipaserver/install/plugins/upload_cacrt.py. It also changes the case of ipaCA to ipaCa for some reason (not a deal breaker).

Comment 17 Rob Crittenden 2019-04-26 17:10:02 UTC
Upstream ticket:

Comment 18 Florence Blanc-Renaud 2019-05-15 11:38:05 UTC
*** Bug 1710235 has been marked as a duplicate of this bug. ***

Comment 21 Florence Blanc-Renaud 2019-05-23 06:28:04 UTC
The commit includes functional test in ipatests/test_integration/test_external_ca.py::TestSelfExternalSelf

Comment 26 Mohammad Rizwan 2019-09-12 10:22:58 UTC
Automation test passed in tier2 pipeline for idm-ci.

Hence marking the bug as verified.

Comment 32 errata-xmlrpc 2020-03-31 19:55:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.