#5881 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2
Closed: Fixed None by ftweedal. Opened 2 years ago by ftweedal.

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1327092

Created attachment 1147087 [details]
Observations 7.2.2,7.2.1 and 7.2GA

Description of problem:
URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.6.x86_64

How reproducible:
Intermittent

Steps to Reproduce:
1. Configure IPA server with RHEL 7.2up2.
2. create temporary directory inside tmp. (mkdir /tmp/test)
3. cd /tmp/test
4. Execute following bash script. (Make sure you update the DOMAIN and MASTER as per your setup, in my case it is "testrelm.test" and respective ipa server hostname as MASTER).
5. BASH script:

###########Script start ##############

#!/bin/bash
echo "Secret123" | kinit admin
export MASTER=`hostname`
export DOMAIN=testrelm.test

echo '[ req ]
default_bits = 2048' > $MASTER-cert-req.conf
echo 'distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT' >> $MASTER-cert-req.conf

echo "CN = $MASTER" >> $MASTER-cert-req.conf

csrfile="$MASTER-cert-req.csr"

openssl req -new -config $MASTER-cert-req.conf -out $csrfile
outfile="ipa-functionalservices-ldap-010-output"
ipa cert-request --add --principal=EXAMPLE/`hostname` $csrfile > $outfile

export certnum=$(cat $outfile | grep Serial\ number: | sed s=\ \ =\ =g | cut -d\  -f4)
ipa cert-show $certnum --out=$MASTER.cert

expecteduri="http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin"
expectedocsp="http://ipa-ca.$DOMAIN/ca/ocsp"

openssl x509 -text -in $MASTER.cert

openssl x509 -text -in $MASTER.cert | grep URI | grep -v OCSP | grep $expecteduri
openssl x509 -text -in $MASTER.cert | grep URI | grep OCSP | grep $expectedocsp

#### Script END ##########

Actual results:
1. URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
2. On executing command "openssl x509 -text -in $MASTER.cert" following OCSP URI details are found instead of expected value insside variables "expecteduri" and "expectedocsp".

OCSP - URI:http://apollo.testrelm.test:80/ca/ocsp

3. Refer attached console output log for 7.2.2, 7.2.1 and 7.2GA  using this script for reference.

Expected results:
The URI and OCSP-URI details should be correctly displayed when certificate is generated using IPA on RHEL 7.2up2.

Additional info:
1. When the same steps are tested for 7.2 GA and 7.2up1, the issue is not observed and URI and OCSP-URI details are available correctly.

Patch to prevent the issue is on list.

Proposed approach for repairing broken installations:
https://www.redhat.com/archives/freeipa-devel/2016-May/msg00192.html

master:

  • 5dad496 Prevent replica install from overwriting cert profiles
  • 356f262 Detect and repair incorrect caIPAserviceCert config

ipa-4-2:

  • c72993b Prevent replica install from overwriting cert profiles
  • f116e51 Detect and repair incorrect caIPAserviceCert config

ipa-4-3:

  • fc292f5 Prevent replica install from overwriting cert profiles
  • e9672b1 Detect and repair incorrect caIPAserviceCert config

Test: only 4.3, 4.4

master:

  • 019f361 Test URIs in certificate.

ipa-4-3:

  • 2a207dd Test URIs in certificate.

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.2.5

2 years ago

Login to comment on this ticket.

Metadata