Steps to reproduce:
# ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.TEST -U # echo Secret123 | kinit admin # ipa host-add host.example.test --ip-address <IP> # ipa host-add-managedby host.example.test --host $( hostname -f ) # ipa-getcert request -k /etc/ssl/certs/host.example.test.key -f /etc/ssl/certs/host.example.test.cert -N host.example.test -K host/host.example.test # kinit -kt /etc/krb5.keytab # ipa host-show host.example.test ... Serial Number: 12 ... # ipa cert-revoke 12
Current result:
ipa: ERROR: Insufficient access: not allowed to perform operation: retrieve certificate
Expected result:
Revoked: True
I beleive the problem lies in ipalib/plugins/cert.py:class cert_show:def execute
... 611 try: 612 self.check_access() 613 except errors.ACIError as acierr: 614 self.debug("Not granted by ACI to retrieve certificate, looking at principal") 615 bind_principal = getattr(context, 'principal') 616 if not bind_principal.startswith('host/'): 617 raise acierr 618 hostname = get_host_from_principal(bind_principal) ... 628 if hostname: 629 # If we have a hostname we want to verify that the subject 630 # of the certificate matches it, otherwise raise an error 631 if hostname != cert.subject.common_name: #pylint: disable=E1101 632 raise acierr ...
the error has format of error from self.check_access() - expected, but then there is a exception for hosts so it should pass.
Would be good to print the bind_principal to debug log before raise acierr and then the same for hostname and cert.subject.common_name before the second raise.
bind_principal
raise acierr
hostname
cert.subject.common_name
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1334795
Metadata Update from @dkupka: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Unable to reproduce this. I can't find a specific commit but this works correctly now.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.