1621192 – ipa-cacert-manage renew --external-ca is failing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1621192 - ipa-cacert-manage renew --external-ca is failing

Summary: ipa-cacert-manage renew --external-ca is failing

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1622184
TreeView+	depends on / blocked

Reported:	2018-08-23 14:10 UTC by Mohammad Rizwan
Modified:	2020-06-22 12:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.6.4-7.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1622184 (view as bug list)
Environment:
Last Closed:	2020-06-22 12:41:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Mohammad Rizwan 2018-08-23 14:10:46 UTC

Description of problem:
ipa-cacert-manage renew --external-ca is failing

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-6.el7.x86_64

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

How reproducible:
always

Steps to Reproduce:
1. install ipa-master with self-signed CA
2. run $ ipa-cacert-manage renew --external-ca


Actual results:

[root@master ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
org.fedorahosted.certmonger.request.bad_arg: Unrecognized parameter or wrong value type.
The ipa-cacert-manage command failed.

Expected results:
command should pass and csr should be generated

Additional info:

Comment 5 Florence Blanc-Renaud 2018-08-23 18:22:45 UTC

I suspect that the issue is linked to certmonger version.
ipa-cacert-manage is internally calling certmonger.modify, which is using the DBus API to communicate with certmonger.

The parameters provided to certmonger contain CA, template-profile and template-ms-certificate-template. I believe that the later one has been introduced only in certmonger 0.79, but the version installed in rhel 7.6 is 0.78.4-9.el7.

Rob, can you check if my assumptions are correct? If it's the case, we need a backport of the patches related to MS cert template in 0.78.

Comment 6 Rob Crittenden 2018-08-24 16:03:20 UTC

Confirmed, it is the unexpected template-ms-certificate-template DBus value.

Comment 8 Rob Crittenden 2018-08-28 13:04:33 UTC

Fixed in certmonger-0.78.4-10.el7

Comment 9 Mohammad Rizwan 2018-08-29 10:32:57 UTC

version:
certmonger-0.78.4-10.el7.x86_64
ipa-server-4.6.4-6.el7.x86_64


Steps:

Execute:
IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_external_ca.py::TestSelfExternalSelf --logging-level=DEBUG


[..]
test_integration/test_external_ca.py::TestSelfExternalSelf::test_switch_to_external_ca [ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exporting CA certificate signing request, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] GET /var/lib/ipa/ca.csr
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] RUN ['cat', '/var/lib/ipa/ca.csr']
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/root_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] RUN ['tee', '/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/ipa_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] RUN ['tee', '/root/ipatests/ipa_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Importing the renewed CA certificate, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] CA certificate successfully renewed
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] trying https://master.testrelm.test/ipa/json
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] The ipa-certupdate command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Certificate Nickname                                         Trust Attributes
[ipatests.pytest_ipa.integration.host.Host.master.cmd40]                                                              SSL,S/MIME,JAR/XPI
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] ocspSigningCert cert-pki-ca                                  u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] subsystemCert cert-pki-ca                                    u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] CN=example.test                                              C,,  
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] auditSigningCert cert-pki-ca                                 u,u,Pu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Server-Cert cert-pki-ca                                      u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Exit code: 0
PASSED

[..]


Failure is not observed.

Comment 10 Namita Soman 2018-09-04 17:37:36 UTC

Marking this verified - as noted above. The fix is included in bz1622184

Note You need to log in before you can comment on or make changes to this bug.