Bug 802912 - Error submitting certificate signing request
Summary: Error submitting certificate signing request
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-13 18:27 UTC by Rob Crittenden
Modified: 2012-06-20 13:21 UTC (History)
4 users (show)

Fixed In Version: ipa-2.2.0-6.el6
Doc Type: Bug Fix
Doc Text:
Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer. Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return "invalid issuer" errors. Fix: Custom user certificate subject base is always read before the certificate issuer is being validated. Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:21:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Rob Crittenden 2012-03-13 18:27:05 UTC
This bug is created as a clone of upstream ticket:

https://fedorahosted.org/freeipa/ticket/2521

I'm using ipa-server-2.1.3-9.el6.x86_64 in centog 6.2.

I'm trying to setup the dovecot SSL part. I followed the documentation and created the csr file (actually, in many ways...), but any csr I tried returns a: 

ipa: ERROR: Certificate operation cannot be completed: Issuer "CN=Certificate Authority,DC=xxxxx,DC=yy" does not match the expected issuer

I tried to change the csr subject in many ways, but the error remains. I have found no informations in the documentation, or even in Google... The only non-standard thing that I've done during the installation is using "--subject" in ipa-server-install.

P.S.: my apologies, my english is alpha version...

Comment 1 Jenny Severance 2012-03-20 19:14:11 UTC
Please add steps to reproduce this issue. Thanks

Comment 2 Rob Crittenden 2012-03-20 21:11:41 UTC
Install IPA using --subject= something other than O=$REALM and issue a certificate using ipa cert-request.

Comment 3 Rob Crittenden 2012-03-27 14:03:55 UTC
fixed upstream

master: 6d5555eb54cdbe19d4f2f05a340b9ea7ccf2369f

ipa-2-2: 5babb3637358c034db6a26c8d64e1edde640fc80

To test install using the --subject option (e.g. O=Test) and confirm that issued certificates use this subject base and certificates can be issued using ipa cert-request.

Comment 6 Kaleem 2012-04-03 11:37:08 UTC
Verified

IPA Sever version:
==================
[root@ipa63server tmp]# rpm -q ipa-server
ipa-server-2.2.0-7.el6.x86_64
[root@ipa63server tmp]#


(1)Installation is successful with --subject="O=Test"

[root@ipa63server ipa-cert]# ipa-server-install --hostname=`hostname` -r TESTRELM.COM -n testrelm.com --subject="O=Test" -p Secret123 -P Secret123 -a Secret123 -U

(2)Certificates issued are having subject based as "Test"

[root@ipa63server ipa-cert]# ipa cert-show 1|grep Test
  Subject: CN=Certificate Authority,O=Test
  Issuer: CN=Certificate Authority,O=Test
[root@ipa63server ipa-cert]#

(3)Also "ipa cert-request" issues certificate with same subject base "O=Test" .

[root@ipa63server tmp]# ipa cert-request test.req --add --principal=service/ipa63server.testrelm.com --request-type=pkcs10
  Certificate: MIIDlzCCAn+gAwIBAgIBDDANBgkqhkiG9w0BAQsFADAvMQ0wCwYDVQQKEwRUZXN0MR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwNDAzMTEwMjE3WhcNMTQwNDA0MTEwMjE3WjAyMQ0wCwYDVQQKEwRUZXN0MSEwHwYDVQQDExhpcGE2M3NlcnZlci50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChdyYt8cIOsU6dBYfBnVk5+h7QB83OfhgLpvtEDOH7kn7GZVUcp1k3Y2UcR2+oYNrzC51XxwthakC5bFZs8mKiBba60lHC41nYv8yZDkkM1ZBEPY+fADHgZeRcEwTZ3hgoZUJVbRPpjdIzQmBh0IVVi3eSF822emMXVuNpGs3JPbAMuybjB2cuEDC789daPZp//zNcV6VbV05TVzWzVZqaVfhY9DyIAsaP4uXgYWqApNzw3js/aXf7A6+a2aiQ+H7S8aLO3DcVoD6bVAsJHIxZmG/ScBbOcwALql3+Jjj4L/VHgarPOR/JjLqFfgKVaczqVgOo+wC37gjMxKt53tftAgMBAAGjgbowgbcwHwYDVR0jBBgwFoAUU6+MY+ERx1sYN0OZhpxnVeLK0pswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhNjNzZXJ2ZXIudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUlNV+WCUey9Pm9zJzcmfI8IC9GZYwDQYJKoZIhvcNAQELBQADggEBAJ5b8W2z82jTBVtSwzPNdvcBA3/GonKaJ11y2Mhu6yh2rt1MefNj3vjxp1cuxl5+RnQ1ssdDVCuy7zCPHhzwcOHmKgxvECBg6PnNrO4ZXL1KhxYaJ8WNxlOF63tw3V/d4gEsC6hctqQ4ZHG0gWqTFB9QFYhJuMgEJgw1Jari8Jg/EXR5BwjpH0u0pQp/os5ijD4gO8G07QJ1xSZpg4ZyThFqOtvC/oiq604xNfRBb3I3N+9gitzkDD1uYso6MM/w7uJtG+9oPHgC7TKhI216bECWBSijmXj8XjRJeLztloxZWMFWw2ohMWYYzwQAG3SU9q8f2nb/jCtTpzz2LdtLeiA=
  Subject: CN=ipa63server.testrelm.com,O=Test
  Issuer: CN=Certificate Authority,O=Test
  Not Before: Tue Apr 03 11:02:17 2012 UTC
  Not After: Fri Apr 04 11:02:17 2014 UTC
  Fingerprint (MD5): e7:2b:02:d3:8d:21:6d:a0:d8:55:3d:90:08:8d:58:19
  Fingerprint (SHA1): dd:67:1f:be:2b:aa:d6:b2:13:13:cf:73:36:ae:8d:1b:9f:55:62:e3
  Serial number: 12
  Serial number (hex): 0xC
[root@ipa63server tmp]#

Comment 7 Martin Kosek 2012-04-24 13:56:33 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer.
Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return  "invalid issuer" errors.
Fix: Custom user certificate subject base is always read before the certificate issuer is being validated.
Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.

Comment 9 errata-xmlrpc 2012-06-20 13:21:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.