Hide Forgot
Description of problem: --------------------------------------------------------------- Added service "service_27444/dhcp-100-19-202.testrelm@TESTRELM" --------------------------------------------------------------- Principal: service_27444/dhcp-100-19-202.testrelm@TESTRELM Managed by: dhcp-100-19-202.testrelm :: [ PASS ] :: add service: [service_27444/dhcp-100-19-202.testrelm] :: [09:39:19] :: create cert request file [/tmp/tmp.cAcrn27OS8/certreq.25032.csr] spawn openssl req -out /tmp/tmp.cAcrn27OS8/certreq.25032.csr -new -newkey rsa:2048 -nodes -keyout /tmp/tmp.cAcrn27OS8/certprikey.20208.key Generating a 2048 bit RSA private key .+++ ...................................+++ writing new private key to '/tmp/tmp.cAcrn27OS8/certprikey.20208.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:CA Locality Name (eg, city) [Default City]:Mountain View Organization Name (eg, company) [Default Company Ltd]:IPA Organizational Unit Name (eg, section) []:QA Common Name (eg, your name or your server's hostname) []:dhcp-100-19-202.testrelm Email Address []:ipaqa@redhat.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: :: [09:39:25] :: cert file creation success, continue :: [ PASS ] :: create cert success, cert id :[21], principal [service_27444/dhcp-100-19-202.testrelm] :: [ PASS ] :: clear kerberos tkts ipa: ERROR: an internal error has occurred :: [ FAIL ] :: set revoke reason to [7], cert should not be able to reuse (Expected 0, got 1) :: [ FAIL ] :: revoke reason expected to be [7], actual [], test can not continue Unrevoked: False Error: One or more certificates could not be unrevoked :: [ PASS ] :: cert-remove-hold always return 0(succes),we need more test to confirm remove hold fails :: [ FAIL ] :: revocation reason not found in cert-show, test failed Certificate: MIIDeDCCAmCgAwIBAgIBFTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKEwhURVNU UkVMTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDYxMzEz MzkyN1oXDTExMTIxMDEzMzkyN1owNjERMA8GA1UEChMIVEVTVFJFTE0xITAfBgNV BAMTGGRoY3AtMTAwLTE5LTIwMi50ZXN0cmVsbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALX11HmtNOjMFQcykdDnDbMv54oWVSTaG2/kweOCqn/Uh2kq Hg8JPmIhzOPLMDg7J/Y/auSeNkLi4ebbuW2N2Njw+T/dj/FjdI/nXX7yEPMdWM1M Cz9hPhlTfy3gAiohFN5qmFfMu2GbYE7t057cgKR7pHnl7ncIpRG00ld6HzLY1GEW iUKsDcpR3hMttqIAN9nrcnmfJWrr9tCflH7+buN6asUTfWnBjmdq9+z0anaYoW3P Fz2oxR12ZEaQ9H/5wGQn5eZj/vu7deHnlR+p0EPAnQ5rTB+bJyAYUk08q/K8DOZN BJH01ZvYzPlD9Sq6o+iDg2ccnTbPOdqYekE+j2UCAwEAAaOBkzCBkDAfBgNVHSME GDAWgBQ5jd9B79skhkfZZRsQ+312iQj93jBIBggrBgEFBQcBAQQ8MDowOAYIKwYB BQUHMAGGLGh0dHA6Ly9kaGNwLTEwMC0xOS0yMDIudGVzdHJlbG06OTE4MC9jYS9v Y3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG 9w0BAQsFAAOCAQEAjPXel56efTu/vlW5L8hp0oTO+aP3tMkt1G9PLtg0MOpY5yxB 7JHzq72l6woQe/WtGvjehOF5rmoAZZX2akU21yLCAgC5y9Di7LxtnhChGKUXERv/ mAshmmedUl2u9mQ3ogHDFiQKd5aeppNWedGrwz6ugMRoAmwonfz9UkmugwfM2REU KFZpLxQ/bC19IyydSmROgj3VrOTWxsFfxB5QxD3FgoYOG0TLPrboc9S6Oj+mBUBL oQfHMbhFuHmRjZz4C10rPvEMLxbR0WQeiMZTogG9fWA0N7f9/xttX8qlnxm/IfBg LSBeanlsKH7Qif98qdiwrCdI+4AWGXEeZ9p+qA== Subject: CN=dhcp-100-19-202.testrelm,O=TESTRELM Issuer: CN=Certificate Authority,O=TESTRELM Not Before: Mon Jun 13 13:39:27 2011 UTC Not After: Sat Dec 10 13:39:27 2011 UTC Fingerprint (MD5): 23:9d:48:e7:83:b9:64:0f:a5:37:16:d0:9d:87:e5:a6 Fingerprint (SHA1): d3:08:d1:00:10:52:98:c8:99:eb:0e:26:34:56:0a:df:c0:8a:2d:6d Serial number: 21 :: [09:39:37] :: cert req [/tmp/tmp.cAcrn27OS8/certreq.2275.csr] :: [ PASS ] :: kinit as admin http errors_log: [Mon Jun 13 09:39:30 2011] [error] ipa: INFO: admin@TESTRELM: ping(): SUCCESS [Mon Jun 13 09:39:30 2011] [error] ipa: INFO: sslget 'https://dhcp-100-19-202.testrelm:9443/ca/agent/ca/doRevoke' [Mon Jun 13 09:39:30 2011] [error] ipa: ERROR: non-public: XMLSyntaxError: AttValue: " or ' expected, line 2, column 14 [Mon Jun 13 09:39:30 2011] [error] Traceback (most recent call last): [Mon Jun 13 09:39:30 2011] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 217, in wsgi_execute [Mon Jun 13 09:39:30 2011] [error] result = self.Command[name](*args, **options) [Mon Jun 13 09:39:30 2011] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 422, in __call__ [Mon Jun 13 09:39:30 2011] [error] ret = self.run(*args, **options) [Mon Jun 13 09:39:30 2011] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 728, in run [Mon Jun 13 09:39:30 2011] [error] return self.execute(*args, **options) [Mon Jun 13 09:39:30 2011] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 556, in execute [Mon Jun 13 09:39:30 2011] [error] result=self.Backend.ra.revoke_certificate(serial_number, **kw) [Mon Jun 13 09:39:30 2011] [error] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1544, in revoke_certificate [Mon Jun 13 09:39:30 2011] [error] parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml) [Mon Jun 13 09:39:30 2011] [error] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1263, in get_parse_result_xml [Mon Jun 13 09:39:30 2011] [error] doc = etree.fromstring(xml_text, parser) [Mon Jun 13 09:39:30 2011] [error] File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270) [Mon Jun 13 09:39:30 2011] [error] File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812) [Mon Jun 13 09:39:30 2011] [error] File "parser.pxi", line 1424, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673) [Mon Jun 13 09:39:30 2011] [error] File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442) [Mon Jun 13 09:39:30 2011] [error] File "parser.pxi", line 539, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:63824) [Mon Jun 13 09:39:30 2011] [error] File "parser.pxi", line 625, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745) [Mon Jun 13 09:39:30 2011] [error] File "parser.pxi", line 565, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64088) [Mon Jun 13 09:39:30 2011] [error] XMLSyntaxError: AttValue: " or ' expected, line 2, column 14 [Mon Jun 13 09:39:30 2011] [error] ipa: INFO: admin@TESTRELM: cert_revoke(u'21', revocation_reason=7): XMLSyntaxError Version-Release number of selected component (if applicable): ipa-server-2.0.0-23.el6.x86_64 How reproducible: always Steps to Reproduce: 1. see description - this test is automated 2. 3. Actual results: Expected results: Additional info:
https://fedorahosted.org/freeipa/ticket/1318
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/cbc5df4536320843f3eed0dc54755bf21922e2c7 ipa-2-0: https://fedorahosted.org/freeipa/changeset/cae4de5036b7d565f9dc1ea140070fc753c9c66c
what is 7 not valid now ??? ipa: ERROR: Certificate operation cannot be completed: 7 is not a valid revocation reason
reason 7 is not defined. See section 5.3.1 in http://www.ietf.org/rfc/rfc5280.txt
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: A request to set a certificate revocation reason to 7 would cause the request to fail. Consequence: The certificate was not revoked. Fix: Reason 7 is not a valid revocation reason according to RFC 5280. Result: An error message is returned to the user.
Verified using ipa-server-2.1.3-8.el6.x86_64 # ipa cert-revoke 17 --revocation-reason=7 ipa: ERROR: Certificate operation cannot be completed: 7 is not a valid revocation reason
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html