1659511 – ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. [rhel-7.6.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1659511 - ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. [rhel-7.6.z]

Summary: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configura...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1493541
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-14 14:48 UTC by RAD team bot copy to z-stream
Modified:	2021-12-10 18:31 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.6.4-10.el7_6.2
Doc Type:	Bug Fix
Doc Text:	Cause: The PKINIT feature requires a certificate signed by IPA CA. When enabling the feature, the step replacing the self-signed certificate with a certificate signed by IPA CA fails but goes undetected because the certificate file is already present on the filesystem. Consequence: The command 'ipa-pkinit-manage enable' reports that it succeeded but the PKINIT feature is not properly configured. Fix: The command now ensures that the certificate file is removed, ensuring that a new CA-signed certificate will be issued. Result: ipa-pkinit-manage enable now successfully configures PKINIT.
Clone Of:	1493541
Environment:
Last Closed:	2019-01-29 17:24:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7579	0	None	None	None	2021-12-10 18:31:19 UTC
Red Hat Product Errata	RHBA-2019:0190	0	None	None	None	2019-01-29 17:24:38 UTC

Description RAD team bot copy to z-stream 2018-12-14 14:48:31 UTC

This bug has been copied from bug #1493541 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 3 Mohammad Rizwan 2019-01-17 07:33:57 UTC

version:
ipa-server-4.6.4-10.el7_6.2.x86_64
ipa-server-dns-4.6.4-10.el7_6.2.noarch

Steps:
1. Install master with --no-pkinit option

2. check certs tracked by ipa CA
    $ ipa-getcert list 

3. check pkinit status
    $ ipa-pkinit-manage status

4. enable pkinit and see if CSR generated
    $ ipa-pkinit-manage --verbose enable

5. check certs tracked by ipa CA
    $ ipa-getcert list

6. check pkinit status
    $  ipa-pkinit-manage status

Actual results:

[root@master ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@master ~]# 

2 certs tracked by IPA CA:

[root@master ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190117065534':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:55:35 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190117065610':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:56:10 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
[root@master ~]#


[root@master ~]# ipa-pkinit-manage --verbose enable
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_140411884189328
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.230')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.230')
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fb42fead758>
ipalib.frontend: DEBUG: raw: config_show(version=u'2.230')
ipalib.frontend: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.230')
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.230')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.230')
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.service: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipaserver.install.service: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipalib.install.certmonger: DEBUG: Cert request 20190117071422 was successful
ipaserver.install.service: DEBUG: service KDC has all config values set
ipaserver.install.service: DEBUG:   duration: 5 seconds
ipaserver.install.service: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of krb5kdc.service complete
ipaserver.install.service: DEBUG: service KDC: config string pkinitEnabled already set
ipaserver.install.service: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipalib.backend: DEBUG: Destroyed connection context.ldap2_140411884189328
ipapython.admintool: INFO: The ipa-pkinit-manage command was successful
[root@master ~]# 


[root@master ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190117065534':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:55:35 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190117065610':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 06:56:10 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20190117071422':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'                  
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'                        <<<<
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-01-17 07:14:22 UTC
	principal name: krbtgt/TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc                                                   <<<<
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes

[root@master ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful

Thus based on above observations, marking the bug as verified.

Comment 5 errata-xmlrpc 2019-01-29 17:24:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0190

Note You need to log in before you can comment on or make changes to this bug.