Bug 802912 – Error submitting certificate signing request

Bug 802912 - Error submitting certificate signing request

Summary:	Error submitting certificate signing request

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-03-13 14:27 EDT by Rob Crittenden
Modified:	2012-06-20 09:21 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	ipa-2.2.0-6.el6
Doc Type:	Bug Fix
Doc Text:	Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer. Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return "invalid issuer" errors. Fix: Custom user certificate subject base is always read before the certificate issuer is being validated. Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-06-20 09:21:10 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Rob Crittenden 2012-03-13 14:27:05 EDT

This bug is created as a clone of upstream ticket:

https://fedorahosted.org/freeipa/ticket/2521

I'm using ipa-server-2.1.3-9.el6.x86_64 in centog 6.2.

I'm trying to setup the dovecot SSL part. I followed the documentation and created the csr file (actually, in many ways...), but any csr I tried returns a: 

ipa: ERROR: Certificate operation cannot be completed: Issuer "CN=Certificate Authority,DC=xxxxx,DC=yy" does not match the expected issuer

I tried to change the csr subject in many ways, but the error remains. I have found no informations in the documentation, or even in Google... The only non-standard thing that I've done during the installation is using "--subject" in ipa-server-install.

P.S.: my apologies, my english is alpha version...

Comment 1 Jenny Galipeau 2012-03-20 15:14:11 EDT

Please add steps to reproduce this issue. Thanks

Comment 2 Rob Crittenden 2012-03-20 17:11:41 EDT

Install IPA using --subject= something other than O=$REALM and issue a certificate using ipa cert-request.

Comment 3 Rob Crittenden 2012-03-27 10:03:55 EDT

fixed upstream

master: 6d5555eb54cdbe19d4f2f05a340b9ea7ccf2369f

ipa-2-2: 5babb3637358c034db6a26c8d64e1edde640fc80

To test install using the --subject option (e.g. O=Test) and confirm that issued certificates use this subject base and certificates can be issued using ipa cert-request.

Comment 6 Kaleem 2012-04-03 07:37:08 EDT

Verified

IPA Sever version:
==================
[root@ipa63server tmp]# rpm -q ipa-server
ipa-server-2.2.0-7.el6.x86_64
[root@ipa63server tmp]#


(1)Installation is successful with --subject="O=Test"

[root@ipa63server ipa-cert]# ipa-server-install --hostname=`hostname` -r TESTRELM.COM -n testrelm.com --subject="O=Test" -p Secret123 -P Secret123 -a Secret123 -U

(2)Certificates issued are having subject based as "Test"

[root@ipa63server ipa-cert]# ipa cert-show 1|grep Test
  Subject: CN=Certificate Authority,O=Test
  Issuer: CN=Certificate Authority,O=Test
[root@ipa63server ipa-cert]#

(3)Also "ipa cert-request" issues certificate with same subject base "O=Test" .

[root@ipa63server tmp]# ipa cert-request test.req --add --principal=service/ipa63server.testrelm.com --request-type=pkcs10
  Certificate: MIIDlzCCAn+gAwIBAgIBDDANBgkqhkiG9w0BAQsFADAvMQ0wCwYDVQQKEwRUZXN0MR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwNDAzMTEwMjE3WhcNMTQwNDA0MTEwMjE3WjAyMQ0wCwYDVQQKEwRUZXN0MSEwHwYDVQQDExhpcGE2M3NlcnZlci50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChdyYt8cIOsU6dBYfBnVk5+h7QB83OfhgLpvtEDOH7kn7GZVUcp1k3Y2UcR2+oYNrzC51XxwthakC5bFZs8mKiBba60lHC41nYv8yZDkkM1ZBEPY+fADHgZeRcEwTZ3hgoZUJVbRPpjdIzQmBh0IVVi3eSF822emMXVuNpGs3JPbAMuybjB2cuEDC789daPZp//zNcV6VbV05TVzWzVZqaVfhY9DyIAsaP4uXgYWqApNzw3js/aXf7A6+a2aiQ+H7S8aLO3DcVoD6bVAsJHIxZmG/ScBbOcwALql3+Jjj4L/VHgarPOR/JjLqFfgKVaczqVgOo+wC37gjMxKt53tftAgMBAAGjgbowgbcwHwYDVR0jBBgwFoAUU6+MY+ERx1sYN0OZhpxnVeLK0pswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhNjNzZXJ2ZXIudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUlNV+WCUey9Pm9zJzcmfI8IC9GZYwDQYJKoZIhvcNAQELBQADggEBAJ5b8W2z82jTBVtSwzPNdvcBA3/GonKaJ11y2Mhu6yh2rt1MefNj3vjxp1cuxl5+RnQ1ssdDVCuy7zCPHhzwcOHmKgxvECBg6PnNrO4ZXL1KhxYaJ8WNxlOF63tw3V/d4gEsC6hctqQ4ZHG0gWqTFB9QFYhJuMgEJgw1Jari8Jg/EXR5BwjpH0u0pQp/os5ijD4gO8G07QJ1xSZpg4ZyThFqOtvC/oiq604xNfRBb3I3N+9gitzkDD1uYso6MM/w7uJtG+9oPHgC7TKhI216bECWBSijmXj8XjRJeLztloxZWMFWw2ohMWYYzwQAG3SU9q8f2nb/jCtTpzz2LdtLeiA=
  Subject: CN=ipa63server.testrelm.com,O=Test
  Issuer: CN=Certificate Authority,O=Test
  Not Before: Tue Apr 03 11:02:17 2012 UTC
  Not After: Fri Apr 04 11:02:17 2014 UTC
  Fingerprint (MD5): e7:2b:02:d3:8d:21:6d:a0:d8:55:3d:90:08:8d:58:19
  Fingerprint (SHA1): dd:67:1f:be:2b:aa:d6:b2:13:13:cf:73:36:ae:8d:1b:9f:55:62:e3
  Serial number: 12
  Serial number (hex): 0xC
[root@ipa63server tmp]#

Comment 7 Martin Kosek 2012-04-24 09:56:33 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer.
Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return  "invalid issuer" errors.
Fix: Custom user certificate subject base is always read before the certificate issuer is being validated.
Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.

Comment 9 errata-xmlrpc 2012-06-20 09:21:10 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.