Reproduction:
# rm /var/lib/certmonger/cas/* # rpm -q certmonger certmonger-0.75.14-1.fc20.x86_64 # ipa-server-install ... # ipa-getcert list -i 20141008074055 Number of certificates and requests being tracked: 9. Request ID '20141008074055': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
The request is then stuck in this case.
# service certmonger status Redirecting to /bin/systemctl status certmonger.service certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled) Active: active (running) since Wed 2014-10-08 03:34:57 EDT; 13min ago Main PID: 26409 (certmonger) CGroup: /system.slice/certmonger.service └─26409 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n Oct 08 03:43:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:43:26 [26409] Error while starting helper "/": Permission denied. Oct 08 03:43:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:43:56 [26409] Error while starting helper "/": Permission denied. Oct 08 03:44:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:44:26 [26409] Error while starting helper "/": Permission denied. Oct 08 03:44:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:44:56 [26409] Error while starting helper "/": Permission denied. Oct 08 03:45:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:45:26 [26409] Error while starting helper "/": Permission denied. Oct 08 03:45:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:45:56 [26409] Error while starting helper "/": Permission denied. Oct 08 03:46:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:46:26 [26409] Error while starting helper "/": Permission denied. Oct 08 03:46:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:46:56 [26409] Error while starting helper "/": Permission denied. Oct 08 03:47:26 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:47:26 [26409] Error while starting helper "/": Permission denied. Oct 08 03:47:56 ipa.mkosek-fedora20.test certmonger[26409]: 2014-10-08 03:47:56 [26409] Error while starting helper "/": Permission denied.
The problem is in CAS file:
# grep -C 1 IPA /var/lib/certmonger/cas/* /var/lib/certmonger/cas/20140915070833-1:id=IPA /var/lib/certmonger/cas/20140915070833-1:ca_aka=IPA (certmonger 0.75.14) /var/lib/certmonger/cas/20140915070833-1-ca_is_default=0 -- /var/lib/certmonger/cas/20140915070833-1-ca_external_helper=/ /var/lib/certmonger/cas/20140915070833-1:ca_root_certs=MKOSEK-FEDORA20.TEST IPA CA /var/lib/certmonger/cas/20140915070833-1- -----BEGIN CERTIFICATE-----
There should be /usr/libexec/certmonger/ipa-submit, not /.
/usr/libexec/certmonger/ipa-submit
/
I noticed this happened also when IPA was uninstalled, but there was a left tracking request:
# ipactl status IPA is not configured (see man pages of ipa-server-install for help) # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20141008074055': status: CA_REJECTED ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=test/ipa.mkosek-fedora20.test@MKOSEK-FEDORA20.TEST,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # rm /var/lib/certmonger/cas/20141009135423* # service certmonger restart Redirecting to /bin/systemctl restart certmonger.service # cat /var/lib/certmonger/cas/20141009135423-1 id=IPA ca_aka=IPA (certmonger 0.75.14) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/ ca_root_certs=MKOSEK-FEDORA20.TEST IPA CA -----BEGIN CERTIFICATE----- MIIFODCCBCCgAwIBAgITYwAAAB+zrTZCQPlMagAAAAAAHzANBgkqhkiG9w0BAQUF ADBPMRQwEgYKCZImiZPyLGQBGRYEVEVTVDEYMBYGCgmSJomT8ixkARkWCE1LQUQy MDEyMR0wGwYDVQQDExRNS0FEMjAxMi1NS0RDMjAxMi1DQTAeFw0xNDEwMDkwOTI2 NDZaFw0xNjEwMDkwOTM2NDZaMD8xHTAbBgNVBAoMFE1LT1NFSy1GRURPUkEyMC5U RVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC9lxPDWWu46AI80S7t9Vrxcs8Iqm1h5isDXH6G AAxy/TDeKnMHbEAEmkziMUwSOxdksTxoQit+t3nQZs6wyl/bmDsw10Hv4J8LmPlY XgIR+K+k89MScfpPxy03IZYm0zfyveuR9dyaRazmOp8o4SmYY2dyhoOkSV5/85mY 5GkAyGlrXaLv0wFiBkyeciH/O90SoedkQZL1SSv5DwojSAtp7aJFItL9etOGra0k nfujL2LBuaNCBX98aLCs1FZD7KdeOC4EqaTG7awyD12WZygsK6vQQczyQ78j0ySD VUmrBJipR61Di+iqeB1HRdDFtL2N1JmNOHgrhOoPxn/NGtZtAgMBAAGjggIbMIIC FzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAZBgkrBgEEAYI3FAIE DB4KAFMAdQBiAEMAQTAdBgNVHQ4EFgQUPk1c3uosTP7msw4KiYTjZoKWcH0wHwYD VR0jBBgwFoAUz6skEUxcRNjbmFap1h73T88T6LkwgdEGA1UdHwSByTCBxjCBw6CB wKCBvYaBumxkYXA6Ly8vQ049TUtBRDIwMTItTUtEQzIwMTItQ0EsQ049TUtEQzIw MTIsQ049Q0RQLENOPVB1YmxpYyBLZXkgU2VydmljZXMsQ049U2VydmljZXMsQ049 Q29uZmlndXJhdGlvbixEQz1NS0FEMjAxMixEQz1URVNUP2NlcnRpZmljYXRlUmV2 b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2lu dDCBxAYIKwYBBQUHAQEEgbcwgbQwgbEGCCsGAQUFBzAChoGkbGRhcDovLy9DTj1N S0FEMjAxMi1NS0RDMjAxMi1DQSxDTj1BSUEsQ049UHVibGljIEtleSBTZXJ2aWNl cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPU1LQUQyMDEyLERDPVRF U1Q/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B dXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggEBAEEGfyPFLNRf/MIQ9wuzBpi4Ob3g B5A/9stjdg29ak6noEEz+aEcoTmq7OV0V2MIQrX7QuyJfFL9AHJJxY9o1CLy3YUO kPuNpuBPt7TCkMbDq3LS0i0LUKDJy7XuViViDpiCKV1uwi21YS8o5Qstd6XpDO0b aLGa1ZPaxfkp5WWSQ5BvXJNausFRgPhlOseqFT76LO3LHaRemaU3xnErncB99JOY cloNOqSEm98drgSt3bfV2t9v76aaUDH2/ajl99K6VQRw2rM14RJQjj7avZVhT4H5 ZI4Dw09zxS3ip4FCfICcQ716S5EYldnmhFXA2sHYI4x3o6opm7pCoBo1A9k= -----END CERTIFICATE----- ca_required_enroll_attributes=template-principal,template-subject
There is apparently some interaction between existing requests and CAS/ca_external_helper being broken. Nalin, is this the right certmonger behavior and IPA should adapt or is a fix needed?
No, that's not supposed to happen. It looks like remove_principal_from_cas() is expecting the CA's "external-helper" property to be an array, when it's merely a string. The string find() method returns -1 on error (it looks like the function expected a boolean), so function unconditionally mistakenly replaces the property's value with just its first character.
Good catch! Thanks Nalin. David/Honza, you know what to do :-)
attachment freeipa-dkupka-0023-Fix-typo-causing-certmonger-is-provided-with-wrong-p.patch
attachment freeipa-dkupka-0023-ipa40-Fix-typo-causing-certmonger-is-provided-with-wrong-p.patch
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @mkosek: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.0.4
Login to comment on this ticket.