#5363 Certificate of managed-by host/service fails to resubmit
Closed: Fixed None Opened 3 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1269089

Description of problem:
When trying to resubmit (or let the certmonger to resubmit before exp.)
certificate of the host/service which is managed by the local host, it fails
with ACI error.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ipa-server-install -r test.com -n novalocal -p passwd123 -a passwd123
--ip-address= --ssh-trust-dns --hostname testsrv.novalocal
--setup-dns --no-host-dns --no-forwarders
2. kinit admin
3. ipa host-add testhost --force
4. ipa host-add-managedby testhost.novalocal --host=testsrv.novalocal
5. ipa-getcert request -k /etc/ssl/certs/testhost.novalocal.key -f
/etc/ssl/certs/testhost.novalocal.cert -N testhost.novalocal -K
6. ipa-getcert list
   Request ID '20151005150737':
   status MONITORING ...
7. ipa-getcert resubmit -i 20151005150737
8. ipa-getcert list -i 20151005150737

Actual results:
Request ID '20151005150737':
        status: MONITORING
        ca-error: Server at https://testsrv.novalocal/ipa/xml denied our
request, giving up: 2100 (RPC failed at server.  Insufficient access: not
allowed to perform this command)

Expected results:
no ca-error

Additional info:
Whey remove userCertificate attribute from the mentioned host (woks also when
kinited to the identity of the host/testsrv.novalocal). The next ipa-getcert
resubmit works well.

I'm able to reproduce with 4.1.5 but not with 4.2.4 and later. Returning to triage to decide whether to move the ticket into 4.1.6 or close as FIXED in 4.2.

Closing according to the comment above.

Metadata Update from @pvoborni:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.2.4

2 years ago

Login to comment on this ticket.