https://bugzilla.redhat.com/show_bug.cgi?id=824027 (Red Hat Enterprise Linux 6)
Description of problem: ipa cert-status serialnumber on a ipa replica created with --setup-ca option throws "Error: Record not found" Version-Release number of selected component (if applicable): ipa-server-2.2.0-14.el6 How reproducible: Always Steps to Reproduce: 1. Install IPA server. 2. Install a ipa replica using --setup-ca option. 3. Create a certificate # kinit admin Password for admin@TESTRELM.COM: # ipa service-add service_10499/wolverine.testrelm.com@TESTRELM.COM # openssl req -out /tmp/certreq.18578.csr -new -newkey rsa:2048 -nodes -keyout /tmp/certprikey.32054.key Generating a 2048 bit RSA private key .....................................................+++ ............................................................................... ............................................................................... .............+++ writing new private key to '/tmp/certprikey.32054.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:CA Locality Name (eg, city) [Default City]:Mountain View Organization Name (eg, company) [Default Company Ltd]:IPS Organizational Unit Name (eg, section) []:QA Common Name (eg, your name or your server's hostname) []:wolverine.testrelm.com Email Address []:ipaqa@redhat.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # ipa cert-request --principal=service_10499/wolverine.testrelm.com@TESTRELM.COM /tmp/certreq.18578.csr > /tmp/certcreate.txt # grep "Serial number" /tmp/certcreate.txt | cut -d":" -f2 | xargs echo 268370018 0xFFF0062 # ipa cert-status 268370018 ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Request ID 268370018 was not found in the request queue.) Actual results: /var/lib/pki-ca/logs/debug has this error: [22/May/2012:10:59:57][TP-Processor2]: CMSServlet:service() uri = //ca/ee/ca/checkRequest [22/May/2012:10:59:57][TP-Processor2]: CMSServlet::service() param name='xml' value='true' [22/May/2012:10:59:57][TP-Processor2]: CMSServlet::service() param name='requestId' value='268370018' [22/May/2012:10:59:57][TP-Processor2]: CMSServlet: caCheckRequest start to service. [22/May/2012:10:59:57][TP-Processor2]: checkRequest: in process! [22/May/2012:10:59:57][TP-Processor2]: IP: 10.16.96.82 [22/May/2012:10:59:57][TP-Processor2]: CMSServlet: no authMgrName [22/May/2012:10:59:57][TP-Processor2]: CMSServlet: in auditSubjectID [22/May/2012:10:59:57][TP-Processor2]: CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.16.96.82} [22/May/2012:10:59:57][TP-Processor2]: CMSServlet auditSubjectID: subjectID: null [22/May/2012:10:59:57][TP-Processor2]: CMSServlet: in auditGroupID [22/May/2012:10:59:57][TP-Processor2]: CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.16.96.82} [22/May/2012:10:59:57][TP-Processor2]: CMSServlet auditGroupID: groupID: null [22/May/2012:10:59:57][TP-Processor2]: checkACLS(): ACLEntry expressions= user="anybody" [22/May/2012:10:59:57][TP-Processor2]: evaluating expressions: user="anybody" [22/May/2012:10:59:57][TP-Processor2]: evaluated expression: user="anybody" to be true [22/May/2012:10:59:57][TP-Processor2]: DirAclAuthz: authorization passed [22/May/2012:10:59:57][TP-Processor2]: SignedAuditEventFactory: create() messag e=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResou rce=certServer.ee.requestStatus][Op=read] authorization success [22/May/2012:10:59:57][TP-Processor2]: In LdapBoundConnFactory::getConn() [22/May/2012:10:59:57][TP-Processor2]: masterConn is connected: true [22/May/2012:10:59:57][TP-Processor2]: getConn: conn is connected true [22/May/2012:10:59:57][TP-Processor2]: getConn: mNumConns now 2 [22/May/2012:10:59:57][TP-Processor2]: returnConn: mNumConns now 3 [22/May/2012:10:59:57][TP-Processor2]: SignedAuditEventFactory: create() messag e=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null >] assume privileged role [22/May/2012:10:59:57][TP-Processor2]: checkRequest: requestId 268370018 [22/May/2012:10:59:57][TP-Processor2]: In LdapBoundConnFactory::getConn() [22/May/2012:10:59:57][TP-Processor2]: masterConn is connected: true [22/May/2012:10:59:57][TP-Processor2]: getConn: conn is connected true [22/May/2012:10:59:57][TP-Processor2]: getConn: mNumConns now 2 [22/May/2012:10:59:57][TP-Processor2]: Error: Record not found Record not found at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:159) at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:115) at com.netscape.cmscore.request.RequestQueue.readRequest(RequestQueue.java:78) at com.netscape.cmscore.request.ARequestQueue.findRequest(ARequestQueue.java:310) at com.netscape.cms.servlet.request.CheckRequest.process(CheckRequest.java:266) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:206) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFi lter.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSoc ket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(Thread Pool.java:690) at java.lang.Thread.run(Thread.java:679) Expected results: ipa cert-status should respond with good info. Additional info: ipa cert-status works fine on a ipa client and a ipa replica created with no --setup-ca option.
This waits till we support manual approval for certs.
This error is not known to be happening with current versions of IdM/FreeIPA in RHEL-7 product. Also note that it was reported against RHEL-6/Dogtag 10, while current IdM/FreeIPA uses Dogtag 10 where the bug is likely to be already fixed.
If you happen to reproduce this bug, please feel free to reopen it.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.