#7232 Unable to re-key external CA
Opened 2 years ago by ftweedal. Modified 7 months ago

When using an externally-signed IPA CA and wishing to change the
external root chaining. If you install a new external CA
cert which has the same subject name, but a different public key. A
new IPA CA CSR has been generated and has been signed by the new external CA.
However, when you attempt to change the chaining ('ipa-cacert-manage
renew --external-cert-file=<new ipa="" ca="" cert=""> --external-cert-file=<new root="" ca="" cert="">'), an error is returned indicating a problem with subject key
comparison -->

ipa: DEBUG: stderr=ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x540d368>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57069456
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 117, in run
    rc = self.renew()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 165, in renew
    return self.renew_external_step_2(ca, cert)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 282, in renew_external_step_2
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 367, in put_ca_cert_nss
    config_ipa, config_compat)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert
    config_ipa=config_ipa, config_compat=config_compat)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 182, in update_ca_cert
    raise ValueError("subject public key info mismatch")

ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: ValueError: subject public key info mismatch
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: subject public key info mismatch                      
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.

In certstore.py, the public key of the new cert is compared to same of the
current cert stored in 389 -->

def update_ca_cert(ldap, base_dn, dercert, trusted=None, ext_key_usage=None,
                   config_ipa=False, config_compat=False):
    Update existing entry for a CA certificate in the certificate store.
    subject, issuer_serial, public_key = _parse_cert(dercert)

    filter = ldap.make_filter({'ipaCertSubject': subject})
    result, _truncated = ldap.find_entries(
        base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
        attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial',
                    'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
                    'ipaConfigString', 'cACertificate;binary'])
    entry = result[0]
    dn = entry.dn

    for old_cert in entry['cACertificate;binary']:
        # Check if we are adding a new cert
        if old_cert == dercert:
        # We are adding a new cert, validate it
        if entry.single_value['ipaCertSubject'].lower() != subject.lower():
            raise ValueError("subject name mismatch")
        if entry.single_value['ipaPublicKey'] != public_key:
            raise ValueError("subject public key info mismatch")

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1512322

2 years ago

What would you suggest, not do the subject key comparison? The commit message for the code contains no reasoning for doing this.

@rcritten possibly. It would need to be comprehensively tested, to make sure that none of the other programs or libraries (e.g. NSS) experience issues in this scenario.

Some git archaeology will be needed to try to discern the original intent of this change but IIRC it was one of many included in a large patch set with no specific call-out.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.6.4

2 years ago

Metadata Update from @pvoborni:
- Issue priority set to: important (was: normal)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

According to https://www.freeipa.org/page/V4/CA_certificate_renewal each entry underneath cn=certificates,cn=ipa,cn=etc,SUFFIX "represents a set of certificates using a single subject name and public key" but no further rationale is given. Given that ipaCertsubject "must be unique in the store", it looks like you can't re-key a CA.

(This ended up being rather tautological, but I can't delete the comment...) :)

Login to comment on this ticket.