1622184 – ipa-cacert-manage renew --external-ca is failing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1622184 - ipa-cacert-manage renew --external-ca is failing

Summary: ipa-cacert-manage renew --external-ca is failing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1621192
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-24 16:04 UTC by Rob Crittenden
Modified:	2018-10-30 07:44 UTC (History)
CC List:	10 users (show)
Fixed In Version:	certmonger-0.78.4-10.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1621192
Environment:
Last Closed:	2018-10-30 07:44:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3018	0	None	None	None	2018-10-30 07:44:55 UTC

Description Rob Crittenden 2018-08-24 16:04:36 UTC

+++ This bug was initially created as a clone of Bug #1621192 +++

Description of problem:
ipa-cacert-manage renew --external-ca is failing

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-6.el7.x86_64

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

How reproducible:
always

Steps to Reproduce:
1. install ipa-master with self-signed CA
2. run $ ipa-cacert-manage renew --external-ca


Actual results:

[root@master ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
org.fedorahosted.certmonger.request.bad_arg: Unrecognized parameter or wrong value type.
The ipa-cacert-manage command failed.

Expected results:
command should pass and csr should be generated

Additional info:

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-08-23 10:10:55 EDT ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Mohammad Rizwan on 2018-08-23 10:12:25 EDT ---

machine details:

vm-idm-018.lab.eng.pnq.redhat.com 
root/Secret123

--- Additional comment from Mohammad Rizwan on 2018-08-23 12:10:13 EDT ---

works on RHEL7.5

[root@gizmo ~]# rpm -qa | grep ipa-server
ipa-server-4.5.4-10.el7_5.3.x86_64
ipa-server-common-4.5.4-10.el7_5.3.noarch
ipa-server-dns-4.5.4-10.el7_5.3.noarch


[root@gizmo ~]# /usr/sbin/ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful


Hence marking as regression.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-08-23 12:10:21 EDT ---

This bug report has Keywords: Regression or TestBlocker.

Since no regressions or test blockers are allowed between releases, it is also being [proposed|marked] as a blocker for this release.

Please resolve ASAP.

--- Additional comment from Florence Blanc-Renaud on 2018-08-23 14:22:45 EDT ---

I suspect that the issue is linked to certmonger version.
ipa-cacert-manage is internally calling certmonger.modify, which is using the DBus API to communicate with certmonger.

The parameters provided to certmonger contain CA, template-profile and template-ms-certificate-template. I believe that the later one has been introduced only in certmonger 0.79, but the version installed in rhel 7.6 is 0.78.4-9.el7.

Rob, can you check if my assumptions are correct? If it's the case, we need a backport of the patches related to MS cert template in 0.78.

--- Additional comment from Rob Crittenden on 2018-08-24 12:03:20 EDT ---

Confirmed, it is the unexpected template-ms-certificate-template DBus value.

Comment 5 Mohammad Rizwan 2018-08-29 10:29:24 UTC

version:
certmonger-0.78.4-10.el7.x86_64
ipa-server-4.6.4-6.el7.x86_64


Steps:

Execute:
IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_external_ca.py::TestSelfExternalSelf --logging-level=DEBUG


[..]
test_integration/test_external_ca.py::TestSelfExternalSelf::test_switch_to_external_ca [ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-ca']
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exporting CA certificate signing request, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd34] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] GET /var/lib/ipa/ca.csr
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] RUN ['cat', '/var/lib/ipa/ca.csr']
[ipatests.pytest_ipa.integration.host.Host.master.cmd35] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/root_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] RUN ['tee', '/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd36] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] PUT /root/ipatests/ipa_ca.crt
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] RUN ['tee', '/root/ipatests/ipa_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd37] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] RUN ['/usr/sbin/ipa-cacert-manage', 'renew', '--external-cert-file=/root/ipatests/ipa_ca.crt', '--external-cert-file=/root/ipatests/root_ca.crt']
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Importing the renewed CA certificate, please wait
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] CA certificate successfully renewed
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] The ipa-cacert-manage command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd38] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] RUN ['/usr/sbin/ipa-certupdate']
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] trying https://master.testrelm.test/ipa/json
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] [try 1]: Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Systemwide CA database updated.
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] The ipa-certupdate command was successful
[ipatests.pytest_ipa.integration.host.Host.master.cmd39] Exit code: 0
[ipatests.pytest_ipa.integration.host.Host.master.OpenSSHTransport] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] RUN ['certutil', '-L', '-d', '/etc/pki/pki-tomcat/alias']
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Certificate Nickname                                         Trust Attributes
[ipatests.pytest_ipa.integration.host.Host.master.cmd40]                                                              SSL,S/MIME,JAR/XPI
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] 
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] ocspSigningCert cert-pki-ca                                  u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] subsystemCert cert-pki-ca                                    u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] CN=example.test                                              C,,  
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] auditSigningCert cert-pki-ca                                 u,u,Pu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Server-Cert cert-pki-ca                                      u,u,u
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] caSigningCert cert-pki-ca                                    CTu,Cu,Cu
[ipatests.pytest_ipa.integration.host.Host.master.cmd40] Exit code: 0
PASSED

[..]


Full console logs are provided. Based on above observation, marking the bug as verified.

Comment 8 errata-xmlrpc 2018-10-30 07:44:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3018

Note You need to log in before you can comment on or make changes to this bug.