freeipa

Clone
Source Code
GIT

#4624 Certmonger CAs have wrong path to ipa-submit executable
Closed: Fixed None Opened 9 years ago by mkosek.

Closed: Fixed
Reopen Issue

Reproduction:

# rm /var/lib/certmonger/cas/*
# rpm -q certmonger
certmonger-0.75.14-1.fc20.x86_64
# ipa-server-install
...
# ipa-getcert list -i 20141008074055
Number of certificates and requests being tracked: 9.
Request ID '20141008074055':
    status: NEED_TO_SUBMIT
    stuck: no
    key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB'
    certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
    CA: IPA
    issuer: 
    subject: 
    expires: unknown
    pre-save command: 
    post-save command: 
    track: yes
    auto-renew: yes

The request is then stuck in this case.

# service certmonger status
Redirecting to /bin/systemctl status  certmonger.service
certmonger.service - Certificate monitoring and PKI enrollment
   Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled)
   Active: active (running) since Wed 2014-10-08 03:34:57 EDT; 13min ago
 Main PID: 26409 (certmonger)
   CGroup: /system.slice/certmonger.service
           └─26409 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

Oct 08 03:43:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:43:26 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:43:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:43:56 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:44:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:44:26 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:44:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:44:56 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:45:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:45:26 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:45:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:45:56 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:46:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:46:26 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:46:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:46:56 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:47:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:47:26 [26409] Error while starting helper "/": Permission denied.
Oct 08 03:47:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:47:56 [26409] Error while starting helper "/": Permission denied.

The problem is in CAS file:

# grep -C 1 IPA /var/lib/certmonger/cas/*
/var/lib/certmonger/cas/20140915070833-1:id=IPA
/var/lib/certmonger/cas/20140915070833-1:ca_aka=IPA (certmonger 0.75.14)
/var/lib/certmonger/cas/20140915070833-1-ca_is_default=0
--
/var/lib/certmonger/cas/20140915070833-1-ca_external_helper=/
/var/lib/certmonger/cas/20140915070833-1:ca_root_certs=MKOSEK-FEDORA20.TEST IPA CA
/var/lib/certmonger/cas/20140915070833-1- -----BEGIN CERTIFICATE-----

There should be /usr/libexec/certmonger/ipa-submit, not /.

I noticed this happened also when IPA was uninstalled, but there was a left tracking request:

# ipactl status
IPA is not configured (see man pages of ipa-server-install for help)
# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20141008074055':
    status: CA_REJECTED
    ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=test/ipa.mkosek-fedora20.test@MKOSEK-FEDORA20.TEST,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.).
    stuck: yes
    key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB'
    certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
    CA: IPA
    issuer: 
    subject: 
    expires: unknown
    pre-save command: 
    post-save command: 
    track: yes
    auto-renew: yes
# rm /var/lib/certmonger/cas/20141009135423*
# service certmonger restart
Redirecting to /bin/systemctl restart  certmonger.service
# cat /var/lib/certmonger/cas/20141009135423-1 
id=IPA
ca_aka=IPA (certmonger 0.75.14)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/
ca_root_certs=MKOSEK-FEDORA20.TEST IPA CA
 -----BEGIN CERTIFICATE-----
 MIIFODCCBCCgAwIBAgITYwAAAB+zrTZCQPlMagAAAAAAHzANBgkqhkiG9w0BAQUF
 ADBPMRQwEgYKCZImiZPyLGQBGRYEVEVTVDEYMBYGCgmSJomT8ixkARkWCE1LQUQy
 MDEyMR0wGwYDVQQDExRNS0FEMjAxMi1NS0RDMjAxMi1DQTAeFw0xNDEwMDkwOTI2
 NDZaFw0xNjEwMDkwOTM2NDZaMD8xHTAbBgNVBAoMFE1LT1NFSy1GRURPUkEyMC5U
 RVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
 DQEBAQUAA4IBDwAwggEKAoIBAQC9lxPDWWu46AI80S7t9Vrxcs8Iqm1h5isDXH6G
 AAxy/TDeKnMHbEAEmkziMUwSOxdksTxoQit+t3nQZs6wyl/bmDsw10Hv4J8LmPlY
 XgIR+K+k89MScfpPxy03IZYm0zfyveuR9dyaRazmOp8o4SmYY2dyhoOkSV5/85mY
 5GkAyGlrXaLv0wFiBkyeciH/O90SoedkQZL1SSv5DwojSAtp7aJFItL9etOGra0k
 nfujL2LBuaNCBX98aLCs1FZD7KdeOC4EqaTG7awyD12WZygsK6vQQczyQ78j0ySD
 VUmrBJipR61Di+iqeB1HRdDFtL2N1JmNOHgrhOoPxn/NGtZtAgMBAAGjggIbMIIC
 FzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAZBgkrBgEEAYI3FAIE
 DB4KAFMAdQBiAEMAQTAdBgNVHQ4EFgQUPk1c3uosTP7msw4KiYTjZoKWcH0wHwYD
 VR0jBBgwFoAUz6skEUxcRNjbmFap1h73T88T6LkwgdEGA1UdHwSByTCBxjCBw6CB
 wKCBvYaBumxkYXA6Ly8vQ049TUtBRDIwMTItTUtEQzIwMTItQ0EsQ049TUtEQzIw
 MTIsQ049Q0RQLENOPVB1YmxpYyBLZXkgU2VydmljZXMsQ049U2VydmljZXMsQ049
 Q29uZmlndXJhdGlvbixEQz1NS0FEMjAxMixEQz1URVNUP2NlcnRpZmljYXRlUmV2
 b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2lu
 dDCBxAYIKwYBBQUHAQEEgbcwgbQwgbEGCCsGAQUFBzAChoGkbGRhcDovLy9DTj1N
 S0FEMjAxMi1NS0RDMjAxMi1DQSxDTj1BSUEsQ049UHVibGljIEtleSBTZXJ2aWNl
 cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPU1LQUQyMDEyLERDPVRF
 U1Q/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
 dXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggEBAEEGfyPFLNRf/MIQ9wuzBpi4Ob3g
 B5A/9stjdg29ak6noEEz+aEcoTmq7OV0V2MIQrX7QuyJfFL9AHJJxY9o1CLy3YUO
 kPuNpuBPt7TCkMbDq3LS0i0LUKDJy7XuViViDpiCKV1uwi21YS8o5Qstd6XpDO0b
 aLGa1ZPaxfkp5WWSQ5BvXJNausFRgPhlOseqFT76LO3LHaRemaU3xnErncB99JOY
 cloNOqSEm98drgSt3bfV2t9v76aaUDH2/ajl99K6VQRw2rM14RJQjj7avZVhT4H5
 ZI4Dw09zxS3ip4FCfICcQ716S5EYldnmhFXA2sHYI4x3o6opm7pCoBo1A9k=
 -----END CERTIFICATE-----
ca_required_enroll_attributes=template-principal,template-subject

There is apparently some interaction between existing requests and CAS/ca_external_helper being broken. Nalin, is this the right certmonger behavior and IPA should adapt or is a fix needed?

No, that's not supposed to happen. It looks like remove_principal_from_cas() is expecting the CA's "external-helper" property to be an array, when it's merely a string. The string find() method returns -1 on error (it looks like the function expected a boolean), so function unconditionally mistakenly replaces the property's value with just its first character.

Good catch! Thanks Nalin. David/Honza, you know what to do :-)

master:

  • 3f9d1a7 Fix typo causing certmonger is provided with wrong path to ipa-submit.

ipa-4-1:

  • f046480 Fix typo causing certmonger is provided with wrong path to ipa-submit.

ipa-4-0:

  • 40f9678 Fix typo causing certmonger is provided with wrong path to ipa-submit.

Metadata Update from @mkosek:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.0.4
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Installation
None
1
None
None
jcholast
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.