RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 910470 - [RFE] Add CRL and OCSP CNAME to certificate profile
Summary: [RFE] Add CRL and OCSP CNAME to certificate profile
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-12 17:34 UTC by Namita Soman
Modified: 2014-06-18 00:05 UTC (History)
4 users (show)

Fixed In Version: ipa-3.2.2-1.el7
Doc Type: Enhancement
Doc Text:
Feature: Add round-robin DNS name for the IPA CA, pointing to all active IPA CA masters. Use the name for CRL and OCSP URIs in the IPA certificate profile. Reason: Allow load balancing and fault tolerance when checking revocation status of IPA certificates online. Result (if any): When any of the IPA CA masters is removed or unavailable, it does not affect the ability to check revocation status of any of the certificates issued by the IPA CA.
Clone Of:
Environment:
Last Closed: 2014-06-13 13:18:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Namita Soman 2013-02-12 17:34:56 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3074

This is related to https://fedorahosted.org/freeipa/ticket/1431

We should update our certificate profile to add the CRL and OCSP CNAME as an additional URL to the current URL (which uses the actual IPA server hostname).  The CNAME URL should be listed before the server hostname URL.

This change can (and should) before before ticket 1431 is addressed.
Comment 1 Martin Kosek 2013-02-21 08:59:28 UTC 
Fixed upstream:

master: 867f7691e9e8d4dc101d227ca56a94f9b947897f
Comment 2 Martin Kosek 2013-05-02 12:28:23 UTC 
Relevant upstream design page for this important change:
http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs
Comment 3 Martin Kosek 2013-06-20 10:57:57 UTC 
One additional upstream fix for Apache config so that CRL can be really downloaded via plain HTTP:

master: 6118b73fab1bfbbbaf0ce10ebb48fb3864b90a5e[[BR]]
ipa-3-2: 020b4a7b3110d743d8a59202670f529500428c4e
Comment 5 Namita Soman 2014-03-05 20:26:31 UTC 
Verified using ipa-server-3.3.3-19

Test automation result:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-functionalservices-ldap-010: Verifying usage of new OSCP URI when creating new certs bz910470
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 05:32:46 ] ::  execute expect file: /tmp/kinit.12854.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SecUsing existing cache: persistent:0:0
Using principal: admin
ret123Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 05:32:46 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Get administrator credentials (Expected 0, got 0)
:: [ 05:32:48 ] ::  running: openssl req -new -config /opt/rhqa_ipa/hp-dl380pgen8-02-vm-8.testrelm.test-cert-req.conf -out /opt/rhqa_ipa/hp-dl380pgen8-02-vm-8.testrelm.test-cert-req.csr
Generating a 2048 bit RSA private key
..............................................................+++
.......................................................................................+++
writing new private key to '/opt/rhqa_ipa/hp-dl380pgen8-02-vm-8.testrelm.test.key'
-----
:: [   PASS   ] :: Create a new CSR to work with (Expected 0, got 0)
:: [ 05:32:48 ] ::  running: ipa cert-request --add --principal=EXAMPLE/hp-dl380pgen8-02-vm-8.testrelm.test /opt/rhqa_ipa/hp-dl380pgen8-02-vm-8.testrelm.test-cert-req.csr
:: [   PASS   ] :: Request the csr into IPA (Expected 0, got 0)
  Certificate: MIIEKTCCAxGgAwIBAgIBETANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNU
UkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQw
MzA1MTAzMjQ5WhcNMTYwMzA1MTAzMjQ5WjBGMRYwFAYDVQQKEw1URVNUUkVMTS5U
RVNUMSwwKgYDVQQDEyNocC1kbDM4MHBnZW44LTAyLXZtLTgudGVzdHJlbG0udGVz
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5/IVOSVKMkHKagh6+5
tAYqjdi/DoMnJsK5lkS0wELP9gpPVS/16kVUA99X/ZyrBLrNHTkyqR+PRrBcKPIh
jAedpsUYEGNkqUKvD11V7880cdS6hRJ4WQwDPU3ZDFPuDKjr3t/ZBNLl95Tnu9Gm
iYkpTqOfpU+3HnazeE+1WrHBZbb5D4KHVogb0mRAgXER7KeiBA2DMiLqFzjtOzEL
fxSc4+1O/Ph2o/bs9/lyLF7aC31vioU6jX4PjwwHSEJ0c5ZSXnM2IT5EKF6KtSuo
z3V4B2Eb1PqwVfDy/qnZTnt8wkglzW2DB6zanECAHf1+LZnb+IdOy6kx4ZBjSLhz
OsUCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFG25XwEuPkuCN1e5wBSc6GDKSJvt
MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0
cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNh
LnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYD
VQQKEwVpcGFjYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1Ud
DgQWBBSyrIcN0nHvutUdDe+yRjmEbxJfWDANBgkqhkiG9w0BAQsFAAOCAQEAVXVf
tihGcecUjd5+O33ovaGoGnXUtCq46uCXs6HH0sELzBeNffw00Y+q4Towzh6RfZty
OV5XQfABBmh8O3yK0pKeNo31SeV3929c3iIDjdU6jrafyKj7akCifWUEZCChewf/
CeF6kcsaMfI5DBnKaDRpYFP72lGwoJA7WhWTmU3sYxktAYCD8jQipdrlmQUBCy/P
j8kjV0ug5EisL1qmj4MDA9sOyIhpELABNbewBTgeNyQl65/KRyQ15OGrX85QQYl5
4CNJMf67qApz4ybVcbH5SanCEFVhIb6kpCPx/DW9UPn9m1FcS/4oWIuMdQBYbtae
Teqa8FKr0LjxEysc6A==
  Subject: CN=hp-dl380pgen8-02-vm-8.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed Mar 05 10:32:49 2014 UTC
  Not After: Sat Mar 05 10:32:49 2016 UTC
  Fingerprint (MD5): c7:c1:ab:d7:85:68:db:19:64:71:a2:d6:a7:04:d0:d6
  Fingerprint (SHA1): e9:39:6f:0c:ef:60:85:ba:ea:33:51:89:b3:69:f2:c8:58:84:96:cf
  Serial number (hex): 0x11
  Serial number: 17
:: [   PASS   ] :: Pull cert number 17 down to /opt/rhqa_ipa/hp-dl380pgen8-02-vm-8.testrelm.test.cert (Expected 0, got 0)
                  URI:http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
:: [   PASS   ] :: make sure that http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin is the uri in the crearted cert (Expected 0, got 0)
                OCSP - URI:http://ipa-ca.testrelm.test/ca/ocsp
:: [   PASS   ] :: make sure that http://ipa-ca.testrelm.test/ca/ocsp is the uri in the crearted cert (Expected 0, got 0)
Response Verify Failure
140617838692256:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:self signed certificate in certificate chain
17: good
:: [   PASS   ] :: Checking status of cert  using openssl to ensure that it tests as good. (Expected 0, got 0)
'772f5d5c-f7c8-4493-b9e5-6601533ed187'
ipa-functionalservices-ldap-010 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-19597235/journal.txt
    Info: Searching AVC errors produced since 1394015353.86 (Wed Mar  5 05:29:13 2014)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.E0d7Cu
:
   AvcLog: /mnt/testarea/tmp.E0d7Cu

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-functionalservices-ldap-011: Verifying usage of new OSCP URI of a revoked  cert bz910470
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

  Revoked: True
:: [   PASS   ] :: Revoking Certificate 17 (Expected 0, got 0)
  Certificate: MIIEKTCCAxGgAwIBAgIBETANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNU
UkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTQw
MzA1MTAzMjQ5WhcNMTYwMzA1MTAzMjQ5WjBGMRYwFAYDVQQKEw1URVNUUkVMTS5U
RVNUMSwwKgYDVQQDEyNocC1kbDM4MHBnZW44LTAyLXZtLTgudGVzdHJlbG0udGVz
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5/IVOSVKMkHKagh6+5
tAYqjdi/DoMnJsK5lkS0wELP9gpPVS/16kVUA99X/ZyrBLrNHTkyqR+PRrBcKPIh
jAedpsUYEGNkqUKvD11V7880cdS6hRJ4WQwDPU3ZDFPuDKjr3t/ZBNLl95Tnu9Gm
iYkpTqOfpU+3HnazeE+1WrHBZbb5D4KHVogb0mRAgXER7KeiBA2DMiLqFzjtOzEL
fxSc4+1O/Ph2o/bs9/lyLF7aC31vioU6jX4PjwwHSEJ0c5ZSXnM2IT5EKF6KtSuo
z3V4B2Eb1PqwVfDy/qnZTnt8wkglzW2DB6zanECAHf1+LZnb+IdOy6kx4ZBjSLhz
OsUCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFG25XwEuPkuCN1e5wBSc6GDKSJvt
MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0
cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNh
LnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYD
VQQKEwVpcGFjYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1Ud
DgQWBBSyrIcN0nHvutUdDe+yRjmEbxJfWDANBgkqhkiG9w0BAQsFAAOCAQEAVXVf
tihGcecUjd5+O33ovaGoGnXUtCq46uCXs6HH0sELzBeNffw00Y+q4Towzh6RfZty
OV5XQfABBmh8O3yK0pKeNo31SeV3929c3iIDjdU6jrafyKj7akCifWUEZCChewf/
CeF6kcsaMfI5DBnKaDRpYFP72lGwoJA7WhWTmU3sYxktAYCD8jQipdrlmQUBCy/P
j8kjV0ug5EisL1qmj4MDA9sOyIhpELABNbewBTgeNyQl65/KRyQ15OGrX85QQYl5
4CNJMf67qApz4ybVcbH5SanCEFVhIb6kpCPx/DW9UPn9m1FcS/4oWIuMdQBYbtae
Teqa8FKr0LjxEysc6A==
  Subject: CN=hp-dl380pgen8-02-vm-8.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed Mar 05 10:32:49 2014 UTC
  Not After: Sat Mar 05 10:32:49 2016 UTC
  Fingerprint (MD5): c7:c1:ab:d7:85:68:db:19:64:71:a2:d6:a7:04:d0:d6
  Fingerprint (SHA1): e9:39:6f:0c:ef:60:85:ba:ea:33:51:89:b3:69:f2:c8:58:84:96:cf
  Revocation reason: 0
  Serial number (hex): 0x11
  Serial number: 17
:: [   PASS   ] :: Pull cert number 17 down to /opt/rhqa_ipa/hp-dl380pgen8-02-vm-8.testrelm.test.cert (Expected 0, got 0)
                  URI:http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
:: [   PASS   ] :: make sure that http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin is the uri in the crearted cert (Expected 0, got 0)
                OCSP - URI:http://ipa-ca.testrelm.test/ca/ocsp
:: [   PASS   ] :: make sure that http://ipa-ca.testrelm.test/ca/ocsp is the uri in the crearted cert (Expected 0, got 0)
Response Verify Failure
140309973620640:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:self signed certificate in certificate chain
:: [   PASS   ] :: Checking status of cert 17 using openssl to ensure it does not test as valid (Expected 1, got 1)
Response Verify Failure
140023721215904:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:self signed certificate in certificate chain
17: revoked
:: [   PASS   ] :: Checking status of cert 17 using openssl to ensure it tests as revoked (Expected 0, got 0)
'ff000d15-b56d-46c5-b276-afaba8389a94'
ipa-functionalservices-ldap-011 result: PASS
Comment 6 Ludek Smid 2014-06-13 13:18:38 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.