Bug 824027 - ipa cert-status serialnumber on a ipa replica created with --setup-ca option throws "Error: Record not found"
ipa cert-status serialnumber on a ipa replica created with --setup-ca option ...
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-22 11:27 EDT by Asha Akkiangady
Modified: 2015-01-16 09:27 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-16 09:27:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Asha Akkiangady 2012-05-22 11:27:25 EDT
Description of problem:
ipa cert-status serialnumber on a ipa replica created with --setup-ca option throws "Error: Record not found"

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-14.el6

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server.
2. Install a ipa replica using --setup-ca  option.
3. Create a certificate
# kinit admin
Password for admin@TESTRELM.COM: 
# ipa service-add service_10499/wolverine.testrelm.com@TESTRELM.COM
# openssl req -out /tmp/certreq.18578.csr -new -newkey rsa:2048 -nodes -keyout /tmp/certprikey.32054.key
Generating a 2048 bit RSA private key
.....................................................+++
...........................................................................................................................................................................+++
writing new private key to '/tmp/certprikey.32054.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:Mountain View
Organization Name (eg, company) [Default Company Ltd]:IPS
Organizational Unit Name (eg, section) []:QA
Common Name (eg, your name or your server's hostname) []:wolverine.testrelm.com
Email Address []:ipaqa@redhat.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ipa cert-request --principal=service_10499/wolverine.testrelm.com@TESTRELM.COM /tmp/certreq.18578.csr > /tmp/certcreate.txt
# grep "Serial number"  /tmp/certcreate.txt | cut -d":" -f2 | xargs echo
268370018 0xFFF0062
# ipa cert-status 268370018
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Request ID 268370018 was not found in the request queue.)

Actual results:
/var/lib/pki-ca/logs/debug has this error:

[22/May/2012:10:59:57][TP-Processor2]: CMSServlet:service() uri = //ca/ee/ca/checkRequest
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet::service() param name='xml' value='true'
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet::service() param name='requestId' value='268370018'
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: caCheckRequest start to service.
[22/May/2012:10:59:57][TP-Processor2]: checkRequest: in process!
[22/May/2012:10:59:57][TP-Processor2]: IP: 10.16.96.82
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: no authMgrName
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: in auditSubjectID
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.16.96.82}
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: in auditGroupID
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.16.96.82}
[22/May/2012:10:59:57][TP-Processor2]: CMSServlet auditGroupID: groupID: null
[22/May/2012:10:59:57][TP-Processor2]: checkACLS(): ACLEntry expressions= user="anybody"
[22/May/2012:10:59:57][TP-Processor2]: evaluating expressions: user="anybody"
[22/May/2012:10:59:57][TP-Processor2]: evaluated expression: user="anybody" to be true
[22/May/2012:10:59:57][TP-Processor2]: DirAclAuthz: authorization passed
[22/May/2012:10:59:57][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.ee.requestStatus][Op=read] authorization success

[22/May/2012:10:59:57][TP-Processor2]: In LdapBoundConnFactory::getConn()
[22/May/2012:10:59:57][TP-Processor2]: masterConn is connected: true
[22/May/2012:10:59:57][TP-Processor2]: getConn: conn is connected true
[22/May/2012:10:59:57][TP-Processor2]: getConn: mNumConns now 2
[22/May/2012:10:59:57][TP-Processor2]: returnConn: mNumConns now 3
[22/May/2012:10:59:57][TP-Processor2]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>] assume privileged role

[22/May/2012:10:59:57][TP-Processor2]: checkRequest: requestId 268370018
[22/May/2012:10:59:57][TP-Processor2]: In LdapBoundConnFactory::getConn()
[22/May/2012:10:59:57][TP-Processor2]: masterConn is connected: true
[22/May/2012:10:59:57][TP-Processor2]: getConn: conn is connected true
[22/May/2012:10:59:57][TP-Processor2]: getConn: mNumConns now 2
[22/May/2012:10:59:57][TP-Processor2]: Error: Record not found
Record not found
	at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:159)
	at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:115)
	at com.netscape.cmscore.request.RequestQueue.readRequest(RequestQueue.java:78)
	at com.netscape.cmscore.request.ARequestQueue.findRequest(ARequestQueue.java:310)
	at com.netscape.cms.servlet.request.CheckRequest.process(CheckRequest.java:266)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
	at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
	at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
	at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
	at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
	at java.lang.Thread.run(Thread.java:679)

Expected results:
ipa cert-status should respond with good info.

Additional info:
ipa cert-status works fine on a ipa client and a ipa replica created with no --setup-ca option.
Comment 4 Martin Kosek 2015-01-16 09:27:27 EST
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

This error is not known to be happening with current versions of IdM/FreeIPA in RHEL-7 product. Also note that it was reported against RHEL-6/Dogtag 10, while current IdM/FreeIPA uses Dogtag 10 where the bug is likely to be already fixed.

If you happen to reproduce this bug, please feel free to reopen it.

Note You need to log in before you can comment on or make changes to this bug.