RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1641804 - [RFE] Random Serial Number v3 Support
Summary: [RFE] Random Serial Number v3 Support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: pki-core
Version: 9.1
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: PKI QE
Florian Delehaye
URL:
Whiteboard:
Depends On: 1851495 2075154
Blocks: 2184509 747959
TreeView+ depends on / blocked
 
Reported: 2018-10-22 20:08 UTC by Rob Crittenden
Modified: 2023-09-07 19:28 UTC (History)
10 users (show)

Fixed In Version: pki-core-11.2.0-0.2.beta1.el9
Doc Type: Enhancement
Doc Text:
Clone Of:
: 2184509 (view as bug list)
Environment:
Last Closed: 2022-11-15 10:13:02 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2022:8053 0 None None None 2022-11-15 10:13:25 UTC

Description Rob Crittenden 2018-10-22 20:08:40 UTC 
Description of problem:

In a recent customer escalation there were requests in ou=requests that didn't match with the serial numbers in the certificates that certmonger was trying to renew by serial number. I have two upstream reports of customers using CentOS 7.5 that look like the same problem.

I wrote a tool which attempts to find errors in the IPA cert tracking before they are show-stoppers. One test takes the certificate in the issued cert and looks up the value in cn=<SERIAL #>,ou=ca,ou=requests,o=ipaca and compares the value of the subject on the certmonger side to extdata-req--005fsubject--005fname in LDAP.

The output looks like:

Subject O=EXAMPLE.TEST,CN=CA Subsystem and template subject CN=CA Audit,O=EXAMPLE.TEST do not match for serial 57

My questions are:

1. Is my understanding wrong? Is it wrong to assume that cn=SERIAL will match up the the serial of an issued certificate?
2. If my understanding is not wrong is there a way to piece together how the LDAP data got into this state? IMHO this is a ticking time bomb if these are supposed to match. As an outsider it looks like database corruption.
3. Most importantly: what can be done to correct this in a user's system?

IMHO switching to renewing by CSR is just sweeping this under the rug.

Version-Release number of selected component (if applicable):

pki-ca-10.5.1-9
ipa-server-4.5.4-10.el7.centos.4.4

How reproducible:

Unknown. There are three known reports.

Additional info:

Upstream checking tool: https://github.com/rcritten/checkcerts in compare_requests()
Comment 2 Fraser Tweedale 2018-11-08 01:53:23 UTC 
Unlike the entries under ou=certificateRepository, the CN of a request is
not related to the serial number of the issued cert.

Request objects have a 'serialno' attribute.  I will check whether that
is the serial number of the issued cert, which could be used for lookup
instead.

Alternatively, look up the certificate first, and the certificate entry
contains a reference to the request that produced it, e.g.:

  % ldapsearch -LLL -D cn=directory\ manager -w4me2Test
      -b ou=certificateRepository,ou=ca,o=ipaca '(cn=1)' metaInfo
  dn: cn=1,ou=certificateRepository,ou=ca,o=ipaca
  metaInfo: profileId:caCACert
  metaInfo: requestId:1            <-- this tells you the request ID.
Comment 3 Rob Crittenden 2018-11-08 03:17:21 UTC 
This does not match the behavior seen elsewhere.

When re-issuing a cert certmonger renews by serial number:

GET /ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true&requestor_name=IPA

The returned certificate from dogtag was for a different hostname altogether. The hostname matched the value for extdata-req--005fsubject--005fname in:

dn: cn=5,ou=ca,ou=requests,o=ipaca

We had to manually reconfigure certmonger to not do renewal by serial number to work around this.

This was not a one-off.

So I'm ok with changing the query but it doesn't match what we were seeing in production.
Comment 5 Fraser Tweedale 2018-11-08 03:36:18 UTC 
Thanks for the extra info.  I can't explain this and will need to investigate
further.  The problem might arise due to conflicting request and/or cert serialNo ranges on different replicas.  Certainly the request ID should always be looked up via the cert record.  The renewal code should not be using the serialNo as the request ID.  I will confirm that this is not the case.

Rob, next time you see a case like this (renewed cert has different serial number) please loop me in.  We will need to investigate whether there are
range conflicts and/or replication conflicts.
Comment 6 Rob Crittenden 2018-11-08 03:46:47 UTC 
Will do. I'll see if the logs provided by users who have tried the tool any additional information.
Comment 7 Fraser Tweedale 2018-11-08 03:57:04 UTC 
Further info:

The ProfileSubmitServlet reads the "serial_num" param and sets it into the
CertEnrolmentRequest data, before invoking the RenewalProcessor:

  https://github.com/dogtagpki/pki/blob/v10.6.7/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java#L269-L274

In RenewalProcessor the serial numbers gets read of the data:

  https://github.com/dogtagpki/pki/blob/v10.6.7/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java#L113-L117

and used to look up the certificate record:

  https://github.com/dogtagpki/pki/blob/v10.6.7/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java#L181

  
The certificate record is then used to look up the original request:

  https://github.com/dogtagpki/pki/blob/v10.6.7/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java#L208

In the implementation of getOriginalRequest we see that the request ID is read
from the corresponding metaInfo field:

  https://github.com/dogtagpki/pki/blob/v10.6.7/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java#L231-L248



Rob, I therefore suspicion that there is more to the story with the
cases we have seen (e.g. conflict request ranges).  The fact that the
serial number in question is so low (5) strengthens the suspicion.

In any case you should update the checker query to look up the request
record via the certificate record.
Comment 9 Dinesh Prasanth 2020-04-28 18:29:04 UTC 
As per grooming meeting 20200428, this bug can be fixed by having a upgrade to database framework
Comment 17 Endi Sukma Dewata 2022-04-11 21:14:22 UTC 
RSNv3 has been implemented in master branch (PKI 11.2):
* https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc
* https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installing-KRA-with-Random-Serial-Numbers-v3.adoc
Comment 18 Endi Sukma Dewata 2022-04-22 15:18:52 UTC 
Design doc:
* https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3

Installation docs:
* https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc
* https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installing-KRA-with-Random-Serial-Numbers-v3.adoc

Configuration/migration docs:
* https://github.com/dogtagpki/pki/wiki/Configuring-CA-with-Random-Serial-Numbers-v3
* https://github.com/dogtagpki/pki/wiki/Configuring-KRA-with-Random-Serial-Numbers-v3
Comment 28 errata-xmlrpc 2022-11-15 10:13:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:8053
Note You need to log in before you can comment on or make changes to this bug.