#191 Certmonger segfault after cert renewal request
Closed: fixed 2 years ago by rcritten. Opened 3 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1881500

Description of problem:
Command

# ipa-getcert request -k /etc/pki/tls/private/cmgmr01.prod.csp.local.key -f
/etc/pki/tls/certs/cmgmr01.prod.csp.local.pem

gets certmonger to segfault with error:

Sep  9 12:48:01 cmgmr01 kernel: certmonger[14515]: segfault at 0 ip
00007f09ca36cdaa sp 00007ffe4d9358c8 error 4 in
libc-2.17.so[7f09ca22e000+1c3000]
Sep  9 12:48:01 cmgmr01 systemd: certmonger.service: main process exited,
code=killed, status=11/SEGV
Sep  9 12:48:01 cmgmr01 systemd: Unit certmonger.service entered failed state.
Sep  9 12:48:01 cmgmr01 systemd: certmonger.service failed.

Version-Release number of selected component (if applicable):
certmonger-0.78.4-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
Described earlier

Actual results:
Certmonger enters failed state after segfault

Expected results:
Certmonger handles command correctly

Additional info:
After failing, certmonger restarts normally and works fine until another
request. Sosreport and coredump file are attached to the linked case.


[root@cmgmr01 chatfir]# getcert list
Number of certificates and requests being tracked: 2.
Request ID 'dogtag-ipa-renew-agent':
        status: NEED_KEY_PAIR
        stuck: no
        key pair storage: type=NONE
        certificate: type=FILE,location=''
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: no
        auto-renew: no
Request ID '20180911095336':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/opt/cloudera/security/key.pem'
        certificate: type=FILE,location='/opt/cloudera/security/cert.pem'
        CA: IPA
        issuer: CN=Certificate Authority,O=PROD.CSP.LOCAL
        subject: CN=cmgmr01.prod.csp.local,O=PROD.CSP.LOCAL
        expires: 2022-09-09 14:57:40 UTC
        dns: cmgmr01.prod.csp.local
        principal name: host/cmgmr01.prod.csp.local@PROD.CSP.LOCAL
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

How the request was created I don't know but it is effectively empty:

id=dogtag-ipa-renew-agent
key_type=UNSPECIFIED
key_gen_type=UNSPECIFIED
key_size=0
key_gen_size=0
key_next_type=UNSPECIFIED
key_next_gen_type=UNSPECIFIED
key_next_size=0
key_next_gen_size=0
key_preserve=0
key_storage_type=NONE
key_perms=0
key_requested_count=0
key_issued_count=0
cert_storage_type=FILE
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_is_ca=0
template_ca_path_length=-1
template_no_ocsp_check=0
state=NEED_KEY_PAIR
autorenew=0
monitor=0
submitted=19700101000000

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Test added upstream in freeipa repository:
master:
- a8b2279 ipatests: Test empty cert request doesn't force certmonger to segfault
ipa-4-9:
- cbd9ac6 ipatests: Test empty cert request doesn't force certmonger to segfault

Login to comment on this ticket.

Metadata