Bug 1756914 - Sub-CA key replication failure [rhel-7.7.z]
Summary: Sub-CA key replication failure [rhel-7.7.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1755223
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-30 08:14 UTC by RAD team bot copy to z-stream
Modified: 2019-10-23 07:34 UTC (History)
6 users (show)

Fixed In Version: ipa-4.6.5-11.el7_7.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1755223
Environment:
Last Closed: 2019-10-15 17:48:08 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 7964 0 None None None 2019-09-30 08:14:59 UTC
Red Hat Product Errata RHBA-2019:3070 0 None None None 2019-10-15 17:48:11 UTC

Description RAD team bot copy to z-stream 2019-09-30 08:14:57 UTC
This bug has been copied from bug #1755223 and has been proposed to be backported to 7.7 z-stream (EUS).

Comment 7 Sudhir Menon 2019-10-03 12:28:20 UTC
Fix is seen. Verified on RHEL7.7

[root@master]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)

[root@master]# rpm -q ipa-server 389-ds-base krb5-server selinux-policy
ipa-server-4.6.5-11.el7_7.3.x86_64
389-ds-base-1.3.9.1-10.el7.x86_64
krb5-server-1.15.1-37.el7_7.2.x86_64
selinux-policy-3.13.1-252.el7.1.noarch

1. certutil -d . -L before setting up sub-ca on master.

[root@master alias]# hostname
master.rhel77.test

[root@master alias]# pwd
/etc/pki/pki-tomcat/alias
[root@master alias]# certutil -d . -L 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

2. Setting up replica with setup ca 
[root@replica ~]# ipa-replica-install --setup-ca -w Secret123 -n rhel77.test --server=master.rhel77.test -r RHEL77.TEST --hostname replica.rhel77.test 
Done.
Finalize replication settings
Restarting the KDC

3. check replica-manage list
[root@master alias]# ipa-replica-manage list
replica.rhel77.test: master
master.rhel77.test: master

4. Setting up sub-ca in ipa master and checking certutil output.

[root@master alias]# ipa ca-add
Name: subca
Subject DN: CN=subca
------------------
Created CA "subca"
------------------
  Name: subca
  Authority ID: cff68fa5-05a8-4d72-8f22-dff1f29135fd
  Subject DN: CN=subca
  Issuer DN: CN=Certificate Authority,O=RHEL77.TEST
  Certificate: MIIDZTCCAk2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSSEVMNzcuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTAwMzEyMjAxM1oXDTM5MTAwMzEyMjAxM1owEDEOMAwGA1UEAwwFc3ViY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT3HxxuUAOPDRAqD1GNOYuwLD4cibSLxSzaDk7/OHJvyfThyPIq+nzy/+LXV+/oye10kT6NVGvBJ4XBBkhSSrbdKnfze3aV+sjJADsYBdpGpnhnV0PYb8MlJoEDcd/JzGY5TWzVi8RHRFJgQRvke+pI/b7rPap4I3z9EEZiZ3ihz+e960Apnk6LuJNwa9ENVD199c/xuPtR33W8H7U+XyZ6x4v8z5Y6QkybWqCx1xM27N5hZjIh+m69uc16PieyqSVv7Z4rZmW2fnWJvXdsmJuyRfi+36yzX16AUr2AU5MVda/Xn4amuzU7O1DAn/bOt+0i3CIVb8o3AUUKXN24oXBAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUj6/BrJBv2Hc4HpG7I0D3GkHrlokwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMwnDJR5ZtNrNvPjuQSlmeA3Q2DnMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5yaGVsNzcudGVzdC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQApOHwSLCsf5nnqOjqU55bpcYIGeXM5jpV3GQyaO+mgoL66tGFr4K6NzYTGY5QP/VphwcHM9ebhK/rtdOkyQ1DClU5zDTj23J//jVFn6wWlax7EYojcMtb4RAg/QgVc+Tsa+Ttll1052k+zjmdzsyUJ0WFL2mEDaUVL30UbBw3fgk7CfZhvwxsu0OxeosGNj7y+Mz/4rkpSSSd/PUv7MdPrqHIfPd/QDFzyuFNi4OyY4SG0XvqStrX1agOepf5s+tOCC2dbY/CmAUQViC5QfJ8GwblAdAERmSGMpd/YWRKu2M8W7MpTEsOZqkDckxYY0/hUrZxohn9azloysV12o5Zd

[root@master alias]# certutil -d . -L 
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
caSigningCert cert-pki-ca cff68fa5-05a8-4d72-8f22-dff1f29135fd u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

5. Checking the entry in replica

[root@replica ~]# cd /etc/pki/pki-tomcat/alias/
[root@replica alias]# certutil -d . -L 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
caSigningCert cert-pki-ca cff68fa5-05a8-4d72-8f22-dff1f29135fd u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

Comment 9 errata-xmlrpc 2019-10-15 17:48:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3070


Note You need to log in before you can comment on or make changes to this bug.