1851835 – [RFE] IdM short-term certificates ACME provider

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1851835 - [RFE] IdM short-term certificates ACME provider

Summary: [RFE] IdM short-term certificates ACME provider

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1902727
Blocks:	1894575
TreeView+	depends on / blocked

Reported:	2020-06-29 08:03 UTC by Petr Čech
Modified:	2022-05-04 15:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ipa-4.9.0-0.1.rc1
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:48:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-8219	0	None	None	None	2022-05-04 15:18:10 UTC

Comment 2 Rob Crittenden 2020-07-09 16:04:41 UTC

Documentation available at:

https://frasertweedale.github.io/blog-redhat/posts/2020-05-06-ipa-acme-intro.html
https://frasertweedale.github.io/blog-redhat/posts/2020-05-07-ipa-acme-mod_md.html
https://frasertweedale.github.io/blog-redhat/posts/2020-05-13-ipa-acme-dns.html

Comment 3 Rob Crittenden 2020-07-10 12:35:28 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/2b6faa362f3ee2a63e3597f8734867d8e9d4df7d
https://pagure.io/freeipa/c/dd301a453521a177d9f34df25d3e6d203c9507ea
https://pagure.io/freeipa/c/5883cff0b7b62da3fcb3dfb7920a9f993cbcb568
https://pagure.io/freeipa/c/a21823da7fcce521838764df5280295ccbdb8157
https://pagure.io/freeipa/c/b3565290fefb6e14583b50d3c411a8861a4fa844
https://pagure.io/freeipa/c/c309d4a4d0c19df80808b2ce9352ce2af2a30a3c
https://pagure.io/freeipa/c/3c8352f9a7f977bc994e4b5b558fb3c7db20f40e
https://pagure.io/freeipa/c/d15000bed6bc5262a80aadeb5f85a476ed44799f
https://pagure.io/freeipa/c/00a84464eae31150714f667df67774ebe34b8514
https://pagure.io/freeipa/c/083c6aedc6d8046c19f637ec34723812f292a0e9
https://pagure.io/freeipa/c/7b00035764197c0aff0c7d2de638dc174abacf9f
https://pagure.io/freeipa/c/ab7226dcef8c8390fc9a1e939680ba9f4f5121bd
https://pagure.io/freeipa/c/bb6d84903967bc6176d8a0817b602ba314129417
https://pagure.io/freeipa/c/85d0272053dbafab19c1f98cacc5ce6e1a828667
https://pagure.io/freeipa/c/f9f3b3b118ccb0c4052d15387d128886ec293463
https://pagure.io/freeipa/c/e976dde8e1429ee023a76ddbe0e6b16a495a1ef2
https://pagure.io/freeipa/c/a83eaa8b6da8e5937a7f42a90310f69b8f66e6d4
https://pagure.io/freeipa/c/678b8e682b37daa5217c0098cd6ce42c324b3955
https://pagure.io/freeipa/c/525b946b75760a1ef90e1aae8e5052124fb0075c
https://pagure.io/freeipa/c/1f720560273e16ca6c5e646a1f4bf0a7ec354aa5

Comment 5 Rob Crittenden 2020-11-02 15:45:40 UTC

Add support for global configuration and more integration tests

Fixed upstream
master:
https://pagure.io/freeipa/c/2ef53196c6a012ad7d02aed5672d69fbcb5d0a4e
https://pagure.io/freeipa/c/e13d058a066bdbd8a81b794b6f18ca8eca1f31c8
https://pagure.io/freeipa/c/c0d55ce6de5e41a98b1e37e23e8bdb339e772c0f
https://pagure.io/freeipa/c/92c3ea4e293a4fca58269265b7fbf511024dab59
https://pagure.io/freeipa/c/69ae48c8b614a23f530ec6ed33c9019e0b491e50
https://pagure.io/freeipa/c/e7fd791579eca8b7a1c30b4f17bfac7c4fafe2a7
https://pagure.io/freeipa/c/d4ef64b229541200564131e927cd0b4b32662fe2

Comment 6 Rob Crittenden 2020-11-02 19:02:07 UTC

Require a SAN for ipa-ca when installing 3rd party certificates.

Fixed upstream
master:
https://pagure.io/freeipa/c/2768b0dbaf0e07bc632a4867b13ef4c5ac875372
https://pagure.io/freeipa/c/e0ff82c884356a6c9fcd0fef66580de30ec5af87
https://pagure.io/freeipa/c/c8f13cd85503f2713c616eccfd7c37e52792c7ef

Comment 7 Rob Crittenden 2020-11-12 20:15:14 UTC

Tests for External-CA scenarios for ACME service

Fixed upstream
master:
https://pagure.io/freeipa/c/9dccf17a6c6ce023661a33fdb1f65314ef6a053f
https://pagure.io/freeipa/c/cbbfcd9b1e9bbcce864957423085d362e6d44c72
https://pagure.io/freeipa/c/c4a6b0e5662f539b8438cdbc593eb713ea8c6da2

Comment 11 Florence Blanc-Renaud 2020-12-01 12:00:01 UTC

Additional commit bumping the Requires for pki-server:

Fixed upstream
master:
https://pagure.io/freeipa/c/6816de0892a11c203f1a2e6f7819d533c7658fa9

Comment 12 Rob Crittenden 2020-12-01 18:08:28 UTC

Additional commit bumping the Requires for pki-server:

Fixed upstream
ipa-4-9:

3e530e93c37ee71a560714e26285cd85e71557c9

Comment 19 Sumedh Sidhaye 2020-12-17 11:42:41 UTC

Builds used for verification:

ipa-client-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
ipa-client-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-selinux-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
ipa-server-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-dns-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-trust-ad-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64

test_integration/test_acme.py::TestACME::test_kinit_master PASSED        [  3%]
test_integration/test_acme.py::TestACME::test_acme_service_not_yet_enabled PASSED [  7%]
test_integration/test_acme.py::TestACME::test_enable_acme_service PASSED [ 11%]
test_integration/test_acme.py::TestACME::test_centralize_acme_enable PASSED [ 15%]
test_integration/test_acme.py::TestACME::test_certbot_register SKIPPED   [ 19%]
test_integration/test_acme.py::TestACME::test_certbot_certonly_standalone SKIPPED [ 23%]
test_integration/test_acme.py::TestACME::test_certbot_revoke SKIPPED     [ 26%]
test_integration/test_acme.py::TestACME::test_certbot_dns SKIPPED        [ 30%]
test_integration/test_acme.py::TestACME::test_mod_md SKIPPED             [ 34%]
test_integration/test_acme.py::TestACME::test_disable_acme_service PASSED [ 38%]
test_integration/test_acme.py::TestACME::test_centralize_acme_disable PASSED [ 42%]
test_integration/test_acme.py::TestACME::test_third_party_certs PASSED   [ 46%]
test_integration/test_acme.py::TestACMECALess::test_caless_to_cafull_replica PASSED [ 50%]
test_integration/test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica PASSED [ 53%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_kinit_master PASSED [ 57%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_acme_service_not_yet_enabled PASSED [ 61%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_enable_acme_service PASSED [ 65%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_centralize_acme_enable PASSED [ 69%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_register SKIPPED [ 73%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_certonly_standalone SKIPPED [ 76%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_revoke SKIPPED [ 80%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_certbot_dns SKIPPED [ 84%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_mod_md SKIPPED [ 88%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_disable_acme_service PASSED [ 92%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_centralize_acme_disable PASSED [ 96%]
test_integration/test_acme.py::TestACMEwithExternalCA::test_third_party_certs PASSED [100%]

Comment 21 Josip Vilicic 2021-01-29 15:02:22 UTC

Hello Kaleem,

1) This bug has automatically generated the following Documentation JIRA ticket:

   "RHELPLAN-47725 - [RFE] IdM short-term certificates ACME provider"
   https://issues.redhat.com/browse/RHELPLAN-47725


2) The documentation team has previously created 2 tickets that I think correspond to the 2 items from this bug's description:

   a) Service automatically acquire a certificates

         RHELPLAN-43501 - [DOC][ACME] Service automatically acquires a certificate
         https://issues.redhat.com/browse/RHELPLAN-43501

      But we closed that general ticket because we created multiple tickets for specific ACME features/functionality:

         RHELPLAN-58595 - Deploy ACME service on upgrade -- https://issues.redhat.com/browse/RHELPLAN-58595
         RHELPLAN-58596 - Support ACME protocol -- https://issues.redhat.com/browse/RHELPLAN-58596
         RHELPLAN-58599 - Deploy ACME service on CA installation -- https://issues.redhat.com/browse/RHELPLAN-58599
         RHELPLAN-58601 - FreeIPA commands to enable/disable ACME service -- https://issues.redhat.com/browse/RHELPLAN-58601
         RHELPLAN-58613 - Add FreeIPA ACME certificate profile -- https://issues.redhat.com/browse/RHELPLAN-58613


   b) Deploy & manage the ACME service topology wide from a single system

         RHELPLAN-58598 - [DOC][ACME] Deploy & manage the ACME service topology wide from a single system
         https://issues.redhat.com/browse/RHELPLAN-58598


Could you please let us know if we've missed anything?

Comment 22 Kaleem 2021-02-02 12:04:36 UTC

Hi Jo,

I missed looking at doc jira ticket.
Should not we set the doc flag/field for this? Doc Text, require_doc_text?

Comment 24 Florence Blanc-Renaud 2021-04-30 09:05:21 UTC

Test added upstream: ipatests/test_integration/test_acme.py::TestACMECARenew
master:
https://pagure.io/freeipa/c/d2ca7915498cd1bdf5483af4b155296766f6e718

Comment 25 Rob Crittenden 2021-05-06 19:42:21 UTC

Test added upstream:
ipa-4-9:
https://pagure.io/freeipa/c/a7ff4089437ee20bbce7fc55d43a7702dd7540a7

Comment 27 errata-xmlrpc 2021-05-18 15:48:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.