Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1739124

Summary: pki-server cert-update failed with self-signed certificates error
Product: Red Hat Enterprise Linux 8 Reporter: Geetika Kapoor <gkapoor>
Component: pki-core-10.7-moduleAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED WONTFIX QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: edewata
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-08 07:30:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geetika Kapoor 2019-08-08 15:01:02 UTC 
Description of problem:

pki-server failed in case of self-signed certificates.
Earlier we never saw such failures while running pki client commands

ERROR: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)'}

Version-Release number of selected component (if applicable):

Rhel 8.1

How reproducible:

always 

Steps to Reproduce:
1.Try offline cert renewal and you will encounter this problem.
https://github.com/dogtagpki/pki/blob/master/docs/admin/Offline_System_Certificate_Renewal.md
2.
3.

Actual results:

Not accepting self signed certs

Expected results:

pki client commands worked while pki-server command failed.

Additional info:

# LDAPTLS_CACERT=/etc/dirsrv/slapd-topology-03-testingmaster/ds.crt ldapsearch -H ldaps://pki1.example.com:11636 -x -D "cn=Directory Manager" -w SECret.123 -b "dc=ca,dc=example,dc=com" 

<displays all the ldap data>

# pki-server -v cert-update --debug -i pki-cert-fix2  sslserver
Command: cert-update --debug -i pki-cert-fix2 sslserver
INFO: Loading instance: pki-cert-fix2
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-cert-fix2/tomcat.conf
INFO: Loading password config: /etc/pki/pki-cert-fix2/password.conf
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-cert-fix2/pki-cert-fix2
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-cert-fix2/ca/conf/CS.cfg
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
DEBUG: Command: certutil -L -d /var/lib/pki/pki-cert-fix2/alias -f /tmp/tmp6hp7p01q/password.txt -n Server-Cert cert-pki-cert-fix2 -a
INFO: Retrieving certificate Server-Cert cert-pki-cert-fix2 from 
DEBUG: Command: certutil -L -d /var/lib/pki/pki-cert-fix2/alias -f /tmp/tmpkxhat08c/password.txt -n Server-Cert cert-pki-cert-fix2 -r
INFO: Retrieving certificate request from CA database
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 37, in <module>
    cli.execute(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 136, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 404, in execute
    results = ca.find_cert_requests(cert=data)
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 892, in find_cert_requests
    con = self.open_database()
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 430, in open_database
    connection.open()
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1687, in open
    self.ldap.simple_bind_s(self.bind_dn, self.bind_password)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 437, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)'}
ERROR: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)'}
======================================================

Pki vs pki-server
=================

Test Case 1: 

# pki -p 31080 ca-cert-find
---------------
6 entries found
---------------
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Issuer DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Jul 24 12:01:47 EDT 2019
  Not Valid After: Sun Jul 24 12:01:47 EDT 2039
  Issued On: Wed Jul 24 12:01:47 EDT 2019
  Issued By: system

  Serial Number: 0x2
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Issuer DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Jul 24 12:01:47 EDT 2019
  Not Valid After: Tue Jul 13 12:01:47 EDT 2021
  Issued On: Wed Jul 24 12:01:47 EDT 2019
  Issued By: system

  Serial Number: 0x3
  Subject DN: CN=pki1.example.com,OU=pki-cert-fix2,O=example.com1
  Issuer DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Jul 24 12:01:47 EDT 2019
  Not Valid After: Wed Jul 24 12:07:47 EDT 2019
  Issued On: Wed Jul 24 12:01:47 EDT 2019
  Issued By: system

  Serial Number: 0x4
  Subject DN: CN=Subsystem Certificate,OU=pki-cert-fix2,O=example.com1
  Issuer DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Status: EXPIRED
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Jul 24 12:01:47 EDT 2019
  Not Valid After: Wed Jul 24 12:07:47 EDT 2019
  Issued On: Wed Jul 24 12:01:48 EDT 2019
  Issued By: system

  Serial Number: 0x5
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Issuer DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Jul 24 12:01:48 EDT 2019
  Not Valid After: Tue Jul 13 12:01:48 EDT 2021
  Issued On: Wed Jul 24 12:01:48 EDT 2019
  Issued By: system

  Serial Number: 0x6
  Subject DN: CN=PKI Administrator,E=example,OU=pki-cert-fix2,O=example.com1
  Issuer DN: CN=CA Signing Certificate,OU=pki-cert-fix2,O=example.com1
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Wed Jul 24 12:01:49 EDT 2019
  Not Valid After: Tue Jul 13 12:01:49 EDT 2021
  Issued On: Wed Jul 24 12:01:49 EDT 2019
  Issued By: system
----------------------------
Number of entries returned 6
----------------------------


2. pki-server -v selftest-disable -i pki-cert-fix2 --subsystem ca

Difference in enable/disable:

< selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical
---
> selftests.container.order.startup=CAPresence, SystemCertsVerification

3.  pki-server -v cert-update --debug -i pki-cert-fix2  sslserver
Command: cert-update --debug -i pki-cert-fix2 sslserver
INFO: Loading instance: pki-cert-fix2
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-cert-fix2/tomcat.conf
INFO: Loading password config: /etc/pki/pki-cert-fix2/password.conf
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-cert-fix2/pki-cert-fix2
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-cert-fix2/ca/conf/CS.cfg
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
DEBUG: Command: certutil -L -d /var/lib/pki/pki-cert-fix2/alias -f /tmp/tmp6hp7p01q/password.txt -n Server-Cert cert-pki-cert-fix2 -a
INFO: Retrieving certificate Server-Cert cert-pki-cert-fix2 from 
DEBUG: Command: certutil -L -d /var/lib/pki/pki-cert-fix2/alias -f /tmp/tmpkxhat08c/password.txt -n Server-Cert cert-pki-cert-fix2 -r
INFO: Retrieving certificate request from CA database
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 37, in <module>
    cli.execute(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 136, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 404, in execute
    results = ca.find_cert_requests(cert=data)
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 892, in find_cert_requests
    con = self.open_database()
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 430, in open_database
    connection.open()
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1687, in open
    self.ldap.simple_bind_s(self.bind_dn, self.bind_password)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 437, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)'}
ERROR: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)'}
Comment 3 RHEL Program Management 2021-02-08 07:30:26 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.