Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1881500
Description of problem: Command # ipa-getcert request -k /etc/pki/tls/private/cmgmr01.prod.csp.local.key -f /etc/pki/tls/certs/cmgmr01.prod.csp.local.pem gets certmonger to segfault with error: Sep 9 12:48:01 cmgmr01 kernel: certmonger[14515]: segfault at 0 ip 00007f09ca36cdaa sp 00007ffe4d9358c8 error 4 in libc-2.17.so[7f09ca22e000+1c3000] Sep 9 12:48:01 cmgmr01 systemd: certmonger.service: main process exited, code=killed, status=11/SEGV Sep 9 12:48:01 cmgmr01 systemd: Unit certmonger.service entered failed state. Sep 9 12:48:01 cmgmr01 systemd: certmonger.service failed. Version-Release number of selected component (if applicable): certmonger-0.78.4-12.el7.x86_64 How reproducible: always Steps to Reproduce: Described earlier Actual results: Certmonger enters failed state after segfault Expected results: Certmonger handles command correctly Additional info: After failing, certmonger restarts normally and works fine until another request. Sosreport and coredump file are attached to the linked case. [root@cmgmr01 chatfir]# getcert list Number of certificates and requests being tracked: 2. Request ID 'dogtag-ipa-renew-agent': status: NEED_KEY_PAIR stuck: no key pair storage: type=NONE certificate: type=FILE,location='' issuer: subject: expires: unknown pre-save command: post-save command: track: no auto-renew: no Request ID '20180911095336': status: MONITORING stuck: no key pair storage: type=FILE,location='/opt/cloudera/security/key.pem' certificate: type=FILE,location='/opt/cloudera/security/cert.pem' CA: IPA issuer: CN=Certificate Authority,O=PROD.CSP.LOCAL subject: CN=cmgmr01.prod.csp.local,O=PROD.CSP.LOCAL expires: 2022-09-09 14:57:40 UTC dns: cmgmr01.prod.csp.local principal name: host/cmgmr01.prod.csp.local@PROD.CSP.LOCAL key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
How the request was created I don't know but it is effectively empty:
id=dogtag-ipa-renew-agent key_type=UNSPECIFIED key_gen_type=UNSPECIFIED key_size=0 key_gen_size=0 key_next_type=UNSPECIFIED key_next_gen_type=UNSPECIFIED key_next_size=0 key_next_gen_size=0 key_preserve=0 key_storage_type=NONE key_perms=0 key_requested_count=0 key_issued_count=0 cert_storage_type=FILE cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_is_ca=0 template_ca_path_length=-1 template_no_ocsp_check=0 state=NEED_KEY_PAIR autorenew=0 monitor=0 submitted=19700101000000
https://pagure.io/certmonger/pull-request/192
0eec70b
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Test added upstream in freeipa repository: master: - a8b2279 ipatests: Test empty cert request doesn't force certmonger to segfault ipa-4-9: - cbd9ac6 ipatests: Test empty cert request doesn't force certmonger to segfault
Log in to comment on this ticket.