#6985 ipa-ca-install command installs CA on replica even if cert file is not specified with --external-cert-file option
Opened 3 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1455054

Description of problem:
ipa-ca-install command installs CA on replica even if cert file is not
specified with --external-cert-file option. If executed command with
non-existing file, invalid file etc, it doesn't through any error.

Version-Release number of selected component (if applicable):

[root@bkr-hv01-guest30 ~]# rpm -q ipa-server ipa-client 389-ds-base pki-ca
krb5-server
ipa-server-4.5.0-13.el7.x86_64
ipa-client-4.5.0-13.el7.x86_64
389-ds-base-1.3.6.1-14.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install replica on the system (ipa-replica-install -P admin - w Secret123)

2. Install CA with following scenario:

   a) ipa-ca-install -U -P admin  -p Secret123 -w Secret123
--external-cert-file=

   b) ipa-ca-install -U -P admin  -p Secret123 -w Secret123
--external-cert-file=abc.crt #no file as abc.crt

   c) ipa-ca-install -U -P admin  -p Secret123 -w Secret123
--external-cert-file=abc.crt  #abc.crt blank file

Actual results:

[root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin  -p Secret123 -w
Secret123  --external-cert-file=abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records


[root@hp-bl420cgen8-01 pki]# cat abc.crt
-----BEGIN CERTIFICATE-----
sdnmsdkfbsdifbsdbasdsdSDDDasdmnd
-----END CERTIFICATE-----


[root@cisco-e160dp-01 ~]# ipa-ca-install -U -P admin  -p Secret123 -w Secret123
--external-cert-file=abc.txt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records

[root@cisco-e160dp-01 ~]# cat abc.txt
afdjskfjhsfkhsfkjsfADDAaasd
sdkfjsfkjshfklsjhfsljdfhsdf
sdlfdlkjfdsalkjfhldsahflahf
lkjfsalfhdalfkhfdhlajfadfjd
[root@cisco-e160dp-01 ~]#

[root@hp-bl420cgen8-01 pki]# ipa-ca-install -U -P admin  -p Secret123 -w
Secret123  --external-cert-file=abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@hp-bl420cgen8-01 pki]#
[root@hp-bl420cgen8-01 pki]# cat abc.crt #blank file
[root@hp-bl420cgen8-01 pki]#

[root@bkr-hv03-guest22 ~]# ipa-ca-install -U -P admin  -p Secret123 -w
Secret123  --external-cert-file=abc.crt   #no file as abc.crt
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@bkr-hv03-guest22 ~]# ll
total 60
-rw-------. 1 root    root    20278 May 23 06:31 anaconda-ks.cfg
-rw-r--r--. 1 pkiuser pkiuser 10362 May 23 09:10 cacert.p12
-rw-r--r--. 1 root    root        4 May 23 06:30 NETBOOT_METHOD.TXT
-rw-------. 1 root    root    19724 May 23 06:31 original-ks.cfg
-rw-r--r--. 1 root    root        8 May 23 06:30 RECIPE.TXT

without a .crt file

[root@bkr-hv03-guest19 ~]# ipa-ca-install -U -P admin  -p Secret123 -w
Secret123  --external-cert-file=
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
  [5/25]: exporting Dogtag certificate store pin
  [6/25]: stopping certificate server instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: destroying installation admin user
  [12/25]: starting certificate server instance
  [13/25]: setting up signing cert profile
  [14/25]: setting audit signing renewal to 2 years
  [15/25]: restarting certificate server
  [16/25]: authorizing RA to modify profiles
  [17/25]: authorizing RA to manage lightweight CAs
  [18/25]: Ensure lightweight CAs container exists
  [19/25]: configure certificate renewals
  [20/25]: configure Server-Cert certificate renewal
  [21/25]: Configure HTTP to proxy connections
  [22/25]: restarting certificate server
  [23/25]: updating IPA configuration
  [24/25]: enabling CA instance
  [25/25]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@bkr-hv03-guest19 ~]#



Expected results:
It Should throw std error like Invalid certificate file or No certificate file
is specified etc.

Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455054

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455054

3 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7
- Issue tagged with: bug

3 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata