Issue #4784: RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert - freeipa

freeipa

#4784 RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert

Closed: Fixed None Opened 9 years ago by jcholast.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1170003

Description of problem:

I'm trying to change the CA cert for IPA from externally signed (by MS ADCS) to
self-signed.  I'm getting "Record not found" errors for the cert request.

[root@rhel7-3 log]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141202205804', please check the
request manually


[root@rhel7-3 log]# getcert list -i 20141202205804
Number of certificates and requests being tracked: 8.
Request ID '20141202205804':
        status: MONITORING
        ca-error: Server at
"http://rhel7-3.example.com:8080/ca/ee/ca/profileSubmit" replied: Record not
found
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='321598787049'
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=subdom1-ADCS2-CA,DC=subdom1,DC=adroot2,DC=example,DC=com
        subject: CN=Certificate Authority,O=EXAMPLE.COM
        expires: 2016-11-11 01:22:59 UTC
        key usage: digitalSignature,keyCertSign,cRLSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
# Note this requires a working MS ADCS server.

1.  Install IPA with externally signed CA cert

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr
[:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-ca

# copy ipa.csr to ADCS server and sign and copy back

# also copy ADCS CA cert chain back as DER p7b file.

# openssl pkcs7 -print_certs -in /root/adcs2.p7b -inform DER -out
/root/adcs2.pem

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr
[:lower:] [:upper:]) -a Secret123 -p Secret123 -U
--external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs2.pem

2.  Renew CA and change chaining from external to self-signed.

ipa-cacert-manage renew --self-signed

3.  Update clientsige:

ipa-certupdate

Actual results:
failure listed above

Expected results:
No failure and CA cert changed from externally signed to self-signed.

Additional info:

mkosek commented 9 years ago

I assume this is different root cause than #4781, right?

jcholast commented 9 years ago

Right.

pvoborni commented 9 years ago

master:

1f6fff2 Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent

ipa-4-1:

7f1db93 Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agen

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1.3

7 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.1.3

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

dkupka

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1170003

tester

None

changelog

None

design

None

freeipa

Source Code

#4784 RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert Closed: Fixed None Opened 9 years ago by jcholast.

Metadata

#4784 RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert

Closed: Fixed None Opened 9 years ago by jcholast.