712889 – Internal Error: ipa cert-remove-hold ; revocation reason 7

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 712889 - Internal Error: ipa cert-remove-hold ; revocation reason 7

Summary: Internal Error: ipa cert-remove-hold ; revocation reason 7

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-13 13:45 UTC by Jenny Severance
Modified:	2015-01-04 23:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: A request to set a certificate revocation reason to 7 would cause the request to fail. Consequence: The certificate was not revoked. Fix: Reason 7 is not a valid revocation reason according to RFC 5280. Result: An error message is returned to the user.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:33:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-06-13 13:45:41 UTC

Description of problem:

---------------------------------------------------------------
Added service "service_27444/dhcp-100-19-202.testrelm@TESTRELM"
---------------------------------------------------------------
  Principal: service_27444/dhcp-100-19-202.testrelm@TESTRELM
  Managed by: dhcp-100-19-202.testrelm
:: [   PASS   ] :: add service: [service_27444/dhcp-100-19-202.testrelm]
:: [09:39:19] ::  create cert request file [/tmp/tmp.cAcrn27OS8/certreq.25032.csr]
spawn openssl req -out /tmp/tmp.cAcrn27OS8/certreq.25032.csr -new -newkey rsa:2048 -nodes -keyout /tmp/tmp.cAcrn27OS8/certprikey.20208.key
Generating a 2048 bit RSA private key
.+++
...................................+++
writing new private key to '/tmp/tmp.cAcrn27OS8/certprikey.20208.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:Mountain View
Organization Name (eg, company) [Default Company Ltd]:IPA
Organizational Unit Name (eg, section) []:QA
Common Name (eg, your name or your server's hostname) []:dhcp-100-19-202.testrelm
Email Address []:ipaqa

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:: [09:39:25] ::  cert file creation success, continue
:: [   PASS   ] :: create cert success, cert id :[21], principal [service_27444/dhcp-100-19-202.testrelm]
:: [   PASS   ] :: clear kerberos tkts
ipa: ERROR: an internal error has occurred
:: [   FAIL   ] :: set revoke reason to [7], cert should not be able to reuse (Expected 0, got 1)
:: [   FAIL   ] :: revoke reason expected to be [7], actual [], test can not continue 
  Unrevoked: False
  Error: One or more certificates could not be unrevoked
:: [   PASS   ] :: cert-remove-hold always return 0(succes),we need more test to confirm remove hold fails
:: [   FAIL   ] :: revocation reason not found in cert-show, test failed 
  Certificate: MIIDeDCCAmCgAwIBAgIBFTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKEwhURVNU
UkVMTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYxMzEz
MzkyN1oXDTExMTIxMDEzMzkyN1owNjERMA8GA1UEChMIVEVTVFJFTE0xITAfBgNV
BAMTGGRoY3AtMTAwLTE5LTIwMi50ZXN0cmVsbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALX11HmtNOjMFQcykdDnDbMv54oWVSTaG2/kweOCqn/Uh2kq
Hg8JPmIhzOPLMDg7J/Y/auSeNkLi4ebbuW2N2Njw+T/dj/FjdI/nXX7yEPMdWM1M
Cz9hPhlTfy3gAiohFN5qmFfMu2GbYE7t057cgKR7pHnl7ncIpRG00ld6HzLY1GEW
iUKsDcpR3hMttqIAN9nrcnmfJWrr9tCflH7+buN6asUTfWnBjmdq9+z0anaYoW3P
Fz2oxR12ZEaQ9H/5wGQn5eZj/vu7deHnlR+p0EPAnQ5rTB+bJyAYUk08q/K8DOZN
BJH01ZvYzPlD9Sq6o+iDg2ccnTbPOdqYekE+j2UCAwEAAaOBkzCBkDAfBgNVHSME
GDAWgBQ5jd9B79skhkfZZRsQ+312iQj93jBIBggrBgEFBQcBAQQ8MDowOAYIKwYB
BQUHMAGGLGh0dHA6Ly9kaGNwLTEwMC0xOS0yMDIudGVzdHJlbG06OTE4MC9jYS9v
Y3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
9w0BAQsFAAOCAQEAjPXel56efTu/vlW5L8hp0oTO+aP3tMkt1G9PLtg0MOpY5yxB
7JHzq72l6woQe/WtGvjehOF5rmoAZZX2akU21yLCAgC5y9Di7LxtnhChGKUXERv/
mAshmmedUl2u9mQ3ogHDFiQKd5aeppNWedGrwz6ugMRoAmwonfz9UkmugwfM2REU
KFZpLxQ/bC19IyydSmROgj3VrOTWxsFfxB5QxD3FgoYOG0TLPrboc9S6Oj+mBUBL
oQfHMbhFuHmRjZz4C10rPvEMLxbR0WQeiMZTogG9fWA0N7f9/xttX8qlnxm/IfBg
LSBeanlsKH7Qif98qdiwrCdI+4AWGXEeZ9p+qA==
  Subject: CN=dhcp-100-19-202.testrelm,O=TESTRELM
  Issuer: CN=Certificate Authority,O=TESTRELM
  Not Before: Mon Jun 13 13:39:27 2011 UTC
  Not After: Sat Dec 10 13:39:27 2011 UTC
  Fingerprint (MD5): 23:9d:48:e7:83:b9:64:0f:a5:37:16:d0:9d:87:e5:a6
  Fingerprint (SHA1): d3:08:d1:00:10:52:98:c8:99:eb:0e:26:34:56:0a:df:c0:8a:2d:6d
  Serial number: 21
:: [09:39:37] ::  cert req [/tmp/tmp.cAcrn27OS8/certreq.2275.csr]
:: [   PASS   ] :: kinit as admin


http errors_log:

[Mon Jun 13 09:39:30 2011] [error] ipa: INFO: admin@TESTRELM: ping(): SUCCESS
[Mon Jun 13 09:39:30 2011] [error] ipa: INFO: sslget 'https://dhcp-100-19-202.testrelm:9443/ca/agent/ca/doRevoke'
[Mon Jun 13 09:39:30 2011] [error] ipa: ERROR: non-public: XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Mon Jun 13 09:39:30 2011] [error] Traceback (most recent call last):
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 217, in wsgi_execute
[Mon Jun 13 09:39:30 2011] [error]     result = self.Command[name](*args, **options)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 422, in __call__
[Mon Jun 13 09:39:30 2011] [error]     ret = self.run(*args, **options)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 728, in run
[Mon Jun 13 09:39:30 2011] [error]     return self.execute(*args, **options)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 556, in execute
[Mon Jun 13 09:39:30 2011] [error]     result=self.Backend.ra.revoke_certificate(serial_number, **kw)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1544, in revoke_certificate
[Mon Jun 13 09:39:30 2011] [error]     parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml)
[Mon Jun 13 09:39:30 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1263, in get_parse_result_xml
[Mon Jun 13 09:39:30 2011] [error]     doc = etree.fromstring(xml_text, parser)
[Mon Jun 13 09:39:30 2011] [error]   File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 1424, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 539, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:63824)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 625, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
[Mon Jun 13 09:39:30 2011] [error]   File "parser.pxi", line 565, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64088)
[Mon Jun 13 09:39:30 2011] [error] XMLSyntaxError: AttValue: " or ' expected, line 2, column 14
[Mon Jun 13 09:39:30 2011] [error] ipa: INFO: admin@TESTRELM: cert_revoke(u'21', revocation_reason=7): XMLSyntaxError


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-23.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.  see description - this test is automated
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 2 Dmitri Pal 2011-06-13 16:03:23 UTC

https://fedorahosted.org/freeipa/ticket/1318

Comment 3 Martin Kosek 2011-06-15 14:44:14 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/cbc5df4536320843f3eed0dc54755bf21922e2c7
ipa-2-0: https://fedorahosted.org/freeipa/changeset/cae4de5036b7d565f9dc1ea140070fc753c9c66c

Comment 5 Jenny Severance 2011-08-22 16:46:16 UTC

what is 7 not valid now ???

ipa: ERROR: Certificate operation cannot be completed: 7 is not a valid revocation reason

Comment 6 Rob Crittenden 2011-08-22 17:01:17 UTC

reason 7 is not defined.

See section 5.3.1 in http://www.ietf.org/rfc/rfc5280.txt

Comment 7 Rob Crittenden 2011-10-31 19:54:33 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: A request to set a certificate revocation reason to 7 would cause the request to fail.
Consequence: The certificate was not revoked.
Fix: Reason 7 is not a valid revocation reason according to RFC 5280.
Result: An error message is returned to the user.

Comment 8 Namita Soman 2011-11-06 04:27:44 UTC

Verified using ipa-server-2.1.3-8.el6.x86_64

# ipa cert-revoke 17 --revocation-reason=7 
ipa: ERROR: Certificate operation cannot be completed: 7 is not a valid revocation reason

Comment 9 errata-xmlrpc 2011-12-06 18:33:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.