Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1327092
Created attachment 1147087 [details] Observations 7.2.2,7.2.1 and 7.2GA Description of problem: URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.6.x86_64 How reproducible: Intermittent Steps to Reproduce: 1. Configure IPA server with RHEL 7.2up2. 2. create temporary directory inside tmp. (mkdir /tmp/test) 3. cd /tmp/test 4. Execute following bash script. (Make sure you update the DOMAIN and MASTER as per your setup, in my case it is "testrelm.test" and respective ipa server hostname as MASTER). 5. BASH script: ###########Script start ############## #!/bin/bash echo "Secret123" | kinit admin export MASTER=`hostname` export DOMAIN=testrelm.test echo '[ req ] default_bits = 2048' > $MASTER-cert-req.conf echo 'distinguished_name = test_key_file prompt = no output_password = .. [ test_key_file ] C = US ST = CA L = SFO O = RedHat Technology OU = RedHat IT' >> $MASTER-cert-req.conf echo "CN = $MASTER" >> $MASTER-cert-req.conf csrfile="$MASTER-cert-req.csr" openssl req -new -config $MASTER-cert-req.conf -out $csrfile outfile="ipa-functionalservices-ldap-010-output" ipa cert-request --add --principal=EXAMPLE/`hostname` $csrfile > $outfile export certnum=$(cat $outfile | grep Serial\ number: | sed s=\ \ =\ =g | cut -d\ -f4) ipa cert-show $certnum --out=$MASTER.cert expecteduri="http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin" expectedocsp="http://ipa-ca.$DOMAIN/ca/ocsp" openssl x509 -text -in $MASTER.cert openssl x509 -text -in $MASTER.cert | grep URI | grep -v OCSP | grep $expecteduri openssl x509 -text -in $MASTER.cert | grep URI | grep OCSP | grep $expectedocsp #### Script END ########## Actual results: 1. URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. 2. On executing command "openssl x509 -text -in $MASTER.cert" following OCSP URI details are found instead of expected value insside variables "expecteduri" and "expectedocsp". OCSP - URI:http://apollo.testrelm.test:80/ca/ocsp 3. Refer attached console output log for 7.2.2, 7.2.1 and 7.2GA using this script for reference. Expected results: The URI and OCSP-URI details should be correctly displayed when certificate is generated using IPA on RHEL 7.2up2. Additional info: 1. When the same steps are tested for 7.2 GA and 7.2up1, the issue is not observed and URI and OCSP-URI details are available correctly.
Patch to prevent the issue is on list.
Proposed approach for repairing broken installations: https://www.redhat.com/archives/freeipa-devel/2016-May/msg00192.html
master:
ipa-4-2:
ipa-4-3:
Test: only 4.3, 4.4
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2.5
Login to comment on this ticket.