In certprofile-import if the config file contains two profileId directives with different values, the profile can be imported under an incorrect ID.
certprofile-import
e.g. if profile config contains:
profileId=test1 profileId=test2
And you import the profile into FreeIPA as test1, i.e. ipa certprofile-import test1 ..., then the profile will be imported into Dogtag as test2. The actual certprofile-import operation fails:
test1
ipa certprofile-import test1 ...
test2
# ipa certprofile-import test1 --file test1.cfg --store 1 --desc test1 ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500.
And no IPA entry for the profile has been created (either as test1 or test2):
# ipa certprofile-show test1 ipa: ERROR: test1: Certificate Profile not found # ipa certprofile-show test2 ipa: ERROR: test2: Certificate Profile not found
But the profile HAS been imported into Dogtag, as test2
# ldapsearch -D cn=directory\ manager -w secret123 -b 'ou=certificateProfiles,ou=ca,o=ipaca' 1.1 |grep test # test2, certificateProfiles, ca, ipaca dn: cn=test2,ou=certificateProfiles,ou=ca,o=ipaca
A subsequent attempt to issue a cert using profile test1 fails:
# ipa cert-request --principal alice --profile test1 alice.csr ipa: ERROR: Request failed with status 400: Non-2xx response from CA REST API: 400. Profile test1 Not Found
This operation against Dogtag should probably not even have been attempted, since no IPA object for the profile was created.
Similarly, attempting to issue using test2 also fails, because that profile has not been enabled yet:
# ipa cert-request --principal alice --profile test2 alice.csr ipa: ERROR: Request failed with status 400: Non-2xx response from CA REST API: 400. Profile test2 not enabled
And again, it should probably not have even been attempted.
The presense of two profileId directives in the profile configuration should be detected by FreeIPA, and the configuration rejected.
profileId
PR: https://github.com/freeipa/freeipa/pull/1830
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1830
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.6.4
Login to comment on this ticket.