Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1455054
Description of problem: ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option. If executed command with non-existing file, invalid file etc, it doesn't through any error. Version-Release number of selected component (if applicable): [root@bkr-hv01-guest30 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.5.0-13.el7.x86_64 ipa-client-4.5.0-13.el7.x86_64 389-ds-base-1.3.6.1-14.el7.x86_64 pki-ca-10.4.1-4.el7.noarch krb5-server-1.15.1-8.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Install replica on the system (ipa-replica-install -P admin - w Secret123) 2. Install CA with following scenario: a) ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file= b) ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt #no file as abc.crt c) ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt #abc.crt blank file Actual results: [root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@hp-bl420cgen8-01 pki]# cat abc.crt -----BEGIN CERTIFICATE----- sdnmsdkfbsdifbsdbasdsdSDDDasdmnd -----END CERTIFICATE----- [root@cisco-e160dp-01 ~]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.txt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@cisco-e160dp-01 ~]# cat abc.txt afdjskfjhsfkhsfkjsfADDAaasd sdkfjsfkjshfklsjhfsljdfhsdf sdlfdlkjfdsalkjfhldsahflahf lkjfsalfhdalfkhfdhlajfadfjd [root@cisco-e160dp-01 ~]# [root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@hp-bl420cgen8-01 pki]# [root@hp-bl420cgen8-01 pki]# cat abc.crt #blank file [root@hp-bl420cgen8-01 pki]# [root@bkr-hv03-guest22 ~]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file=abc.crt #no file as abc.crt Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@bkr-hv03-guest22 ~]# ll total 60 -rw-------. 1 root root 20278 May 23 06:31 anaconda-ks.cfg -rw-r--r--. 1 pkiuser pkiuser 10362 May 23 09:10 cacert.p12 -rw-r--r--. 1 root root 4 May 23 06:30 NETBOOT_METHOD.TXT -rw-------. 1 root root 19724 May 23 06:31 original-ks.cfg -rw-r--r--. 1 root root 8 May 23 06:30 RECIPE.TXT without a .crt file [root@bkr-hv03-guest19 ~]# ipa-ca-install -U -P admin -p Secret123 -w Secret123 --external-cert-file= Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance [5/25]: exporting Dogtag certificate store pin [6/25]: stopping certificate server instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: destroying installation admin user [12/25]: starting certificate server instance [13/25]: setting up signing cert profile [14/25]: setting audit signing renewal to 2 years [15/25]: restarting certificate server [16/25]: authorizing RA to modify profiles [17/25]: authorizing RA to manage lightweight CAs [18/25]: Ensure lightweight CAs container exists [19/25]: configure certificate renewals [20/25]: configure Server-Cert certificate renewal [21/25]: Configure HTTP to proxy connections [22/25]: restarting certificate server [23/25]: updating IPA configuration [24/25]: enabling CA instance [25/25]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@bkr-hv03-guest19 ~]# Expected results: It Should throw std error like Invalid certificate file or No certificate file is specified etc. Additional info:
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455054
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7 - Issue tagged with: bug
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Login to comment on this ticket.