#7329 update_ra_cert_store does not remove private key from NSSDB
Closed: fixed a year ago by abbra. Opened 2 years ago by cheimes.

Issue

update_ra_cert_store migrates RA cert and key from /etc/httpd/alias to /var/lib/ipa/ra-agent.pem and `/var/lib/ipa/ra-agent.key. It also removes the public cert from/etc/httpd/alias`` but it does not remove the private key. This leaves a dangling private key in the cert database.

Steps to Reproduce

  1. Upgrade a IPA server from 4.4 to 4.5
  2. Check /etc/httpd/alias for private ipaCert key
    3.

Actual behavior

$ sudo certutil -L -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -n ipaCert
certutil: Could not find cert: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found
$ sudo certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -n ipaCert
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa  ipaCert

Expected behavior

/etc/httpd/alias should no longer contain ipaCert private key.

Version/Release/Distribution

all


Hello,

Looks you are talking about ipa Session Key to be removed after upgrade?

ls -ltr /etc/httpd/alias

lrwxrwxrwx 1 root root      24 Jan  4 10:26 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r----- 1 root apache 16384 Jan  4 10:26 secmod.db.orig
-rw-r----- 1 root apache 24576 Jan  4 10:26 key3.db.orig
-rw-r----- 1 root apache 65536 Jan  4 10:26 cert8.db.orig
-rw------- 1 root root    5274 Jan  4 10:26 install.log
-rw-rw---- 1 root apache    20 Jan  4 10:47 pwdfile.txt
-rw-rw---- 1 root apache 16384 Jan  4 10:47 secmod.db
-rw-------. 1 root root      32 Jan  5 01:39 ipasession.key <<<<<<<<<
-rw-rw---- 1 root apache 24576 Jan  4 11:02 key3.db
-rw-rw---- 1 root apache 65536 Jan  4 11:02 cert8.db

No, I'm not talking about the session key. That's a different issue. Please open a new issue for ipasession.key. Good catch!

certdb.delete_cert() runs the command certutil ... -D -n ipaCert, which removes only the public cert from NSSDB. The associated private key is not removed. To remove private key, certutil ... -F -n ipaCert is required, perhaps with -k option.

Yah I found
ipapython/certdb.py
def delete_cert(self, nick):
self.run_certutil(["-D", "-n", nick])

But Is it necessary to "List the key ID of keys in the key database." with -k option?

Going thru the options.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)

2 years ago

FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone

Metadata Update from @frenaud:
- Issue assigned to frenaud

a year ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3380

a year ago

master:

  • ef39e1b upgrade: remove ipaCert and key from /etc/httpd/alias

ipa-4-7:

  • 60cf6a6 upgrade: remove ipaCert and key from /etc/httpd/alias

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

ipa-4-8:

  • 0587718 upgrade: remove ipaCert and key from /etc/httpd/alias

Login to comment on this ticket.

Metadata