RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 749357 - Replica throws error when adding a host cert.
Summary: Replica throws error when adding a host cert.
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Deon Ballard
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 750592
TreeView+ depends on / blocked
 
Reported: 2011-10-26 19:32 UTC by Namita Soman
Modified: 2011-12-09 15:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The IPA replication topology may be different from the CA replication topology. This means that you can have replication of IPA data and not of CA data. The impact of this is that the CA's may not have the same view of issued certificates. When a host or service is deleted any certificates that have been issued are revoked. If the CA cannot revoke a certificate (because it is unknown for example) a fatal error will be raised. The sequence for this might look something like: 1. Install IPA server on host A 2. Install replica on host B with a CA configured 3. Use ipa-csreplica-manage to break the replication agreement between A and B 4. Add a host to A 5. Issue a certificate for the host on host A The host will exist on both A and B and both will show a valid certificate. Only the CA on A has a copy of the certificate. Deleting the host on B will fail because the CA on B doesn't have a copy of the certificate.
Clone Of:
: 750592 (view as bug list)
Environment:
Last Closed: 2011-12-09 15:47:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Namita Soman 2011-10-26 19:32:51 UTC 
Description of problem:
Replica throws error when adding a host cert.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Install Master, Replica
2. From the replica, add a host
3. Add a new certificate for this host
  
Actual results:
Throws error:
Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0xfff000a not found)
Retry/Cancel
I can hit retry or cancel, and the cert is added

Expected results:
No error, cert should be added

Additional info:
Comment 2 Rob Crittenden 2011-10-26 19:54:30 UTC 
Can you provide more details how you are adding a new cert? Where did this cert come from?
Comment 3 Jenny Severance 2011-10-26 20:13:31 UTC 
I can help here ..

add a new host
generate a csr for the host
from the Web UI, edit the host ... New Certificate, paste request and submit ..
Comment 4 Rob Crittenden 2011-10-27 18:56:33 UTC 
I don't understand.

The original bug report is that a certificate for a replica host cannot be replaced.

c#3 says that certificate issuance over the webUI doesn't work at all for any host. I am unable to duplicate this, I can issue certs.

When a certificate is requested for a host that already has one the first thing we do is attempt to revoke the existing certificate. Is it possible that in replication testing you ended up with a host certificate that was issued by a replica that is disconnected?
Comment 5 Namita Soman 2011-10-28 01:27:35 UTC 
Sorry - I wasn't clear.

Here I have a master and replica, but I am not replacing cert for the replica host. I am actually performing the actions on the replica server, using the UI on the replica. From replica, add a new host, edit the host, and issue the cert, generated using certutil for this host. This throws error, but add the new cert.

Can you issue cert for a new host from the replica, without getting the error?
Comment 6 RHEL Program Management 2011-10-31 05:47:32 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 9 Rob Crittenden 2011-11-08 20:00:43 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The IPA replication topology may be different from the CA replication topology. This means that you can have replication of IPA data and not of CA data.

The impact of this is that the CA's may not have the same view of issued certificates.

When a host or service is deleted any certificates that have been issued are revoked. If the CA cannot revoke a certificate (because it is unknown for example) a fatal error will be raised.

The sequence for this might look something like:

1. Install IPA server on host A
2. Install replica on host B with a CA configured
3. Use ipa-csreplica-manage to break the replication agreement between A and B
4. Add a host to A
5. Issue a certificate for the host on host A

The host will exist on both A and B and both will show a valid certificate. Only the CA on A has a copy of the certificate.

Deleting the host on B will fail because the CA on B doesn't have a copy of the certificate.
Comment 10 Martin Prpič 2011-11-10 15:05:25 UTC 
Is this the same description as in BZ#750596?

Thanks,
Martin
Comment 11 Rob Crittenden 2011-11-11 14:01:41 UTC 
Looks like it to me.
Comment 12 Martin Prpič 2011-11-11 14:20:38 UTC 
Ok, I believe one description is enough for this issue :) Removing flags.

Thanks,
Martin
Comment 13 RHEL Program Management 2011-11-15 06:47:24 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 14 Suzanne Logcher 2011-12-08 19:49:51 UTC 

*** This bug has been marked as a duplicate of bug 750596 ***
Comment 15 Jenny Severance 2011-12-08 20:03:27 UTC 
This bug is not a duplicate.  The other bug is after a replication agreement is removed.  This is with fully functional master and replica and trying to add a host certificate on the replica.  Re-opening bug.
Comment 16 Dmitri Pal 2011-12-08 23:21:34 UTC 
Can you reproduce it at will? Do you have CA installed on the replica or replica does not have a CA?
Comment 17 Namita Soman 2011-12-09 15:47:36 UTC 
Retested to provide info to your question above - and do not see the issue anymore. With and without CA installed on replica - can issue cert to a host successfully.
Note You need to log in before you can comment on or make changes to this bug.