#7589 cacert renew fails on replica
Closed: fixed 3 years ago Opened 3 years ago by ksiddiqu.

Issue

cacert renewal using 'ipa-cacert-manage renew' fails on replica (with ca) . Same used to work in earlier builds . Issue found in pr ci tests .

Steps to Reproduce

  1. Install Master
  2. Install Replica with CA
  3. run ipa-cacert-manage renew on Replica

Actual behavior

cacert renewal fails on Replica

Expected behavior

cacert renewal should pass on Replica .

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
[root@dhcp207-43 ~]# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.6.90test-0.fc28.x86_64
freeipa-client-4.6.90test-0.fc28.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.10-2.fc28.x86_64
pki-ca-10.6.1-3.fc28.noarch
krb5-server-1.16.1-7.fc28.x86_64
[root@dhcp207-43 ~]#

Additional info:

Please find the attached log files which contains debug info of cacert renew along with logs from pki system.


Issue reproducible with the 4.6.90.pre2-3.fc28.
The journal for certmonger shows the following errors:

/dogtag-ipa-ca-renew-agent-submit[72766]: Forwarding request to dogtag-ipa-renew-agent
/dogtag-ipa-ca-renew-agent-submit[72766]: dogtag-ipa-renew-agent returned 5
/dogtag-ipa-ca-renew-agent-submit[72777]: Forwarding request to dogtag-ipa-renew-agent
/dogtag-ipa-ca-renew-agent-submit[72777]: dogtag-ipa-renew-agent returned 5
/dogtag-ipa-ca-renew-agent-submit[72792]: Forwarding request to dogtag-ipa-renew-agent
/dogtag-ipa-ca-renew-agent-submit[72792]: dogtag-ipa-renew-agent returned 0
/stop_pkicad[72802]: Stopping pki_tomcatd
/stop_pkicad[72802]: Stopped pki_tomcatd
/renew_ca_cert[72847]: Failed to backup CS.cfg: [Errno 1] Operation not permitted: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp'
/renew_ca_cert[72847]: Updating entry cn=157bb523-0fff-4cef-9b18-afa05ec64d96,ou=authorities,ou=ca,o=ipaca
/renew_ca_cert[72847]: Not updating CS.cfg
/renew_ca_cert[72847]: Traceback (most recent call last):
        File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 224, in <module>
                main()
        File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 218, in main
                _main()
        File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main
                for ca_nick in db.find_root_cert(nickname)[-2:-1]:
        File "/usr/lib/python3.6/site-packages/ipaserver/install/certs.py", line 538, in find_root_cert
                root_nicknames = self.nssdb.get_trust_chain(nickname)
        File "/usr/lib/python3.6/site-packages/ipapython/certdb.py", line 511, in get
_trust_chain
                result = self.run_certutil(["-O", "-n", nickname], capture_output=True)
        File "/usr/lib/python3.6/site-packages/ipapython/certdb.py", line 302, in run_certutil
                return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs)
        File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 572, in run
                p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-O', '-n', 'caSigningCert cert-pki-ca', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] returned non-zero exit status 255: 'certutil: Could not find: caSigningCert cert-pki-ca\n: PR_FILE_NOT_FOUND_ERROR: File not found\n')

Metadata Update from @ftweedal:
- Issue assigned to ftweedal

3 years ago

On the replica, the trust flags are not properly set after ipa-replica-install --setup-ca:

# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CT,C,C
ocspSigningCert cert-pki-ca                                  ,,   
auditSigningCert cert-pki-ca                                 ,,P  
subsystemCert cert-pki-ca                                    ,,   
Server-Cert cert-pki-ca                                      u,u,u

During ipa-cacert-manage renew, the post-save command /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" misbehaves. This script is cleaning the list of external CAs before adding the current CA. In order to find the external CAs, it walks through the list of certs in the NSS db /etc/pki/pki-tomcat/alias that do not have a private key (ie the ones without the u flag). As some certs are missing the u flag, they are wrongly considered as External CAs, for instance caSigningCert cert-pki-ca is removed.
In a later step, the script obtains the CA certs from LDAP and adds them into the nss db. The problem is that IPA CA is added with a nickname built from its entry DN => IPA CA is now named 'DOMAIN-COM IPA CA' instead of 'caSigningCert cert-pki-ca'.

Metadata Update from @frenaud:
- Assignee reset

3 years ago

Metadata Update from @frenaud:
- Issue assigned to ftweedal

3 years ago

Metadata Update from @cheimes:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.7

3 years ago

The u flag is a dynamic flag. From man certutil:

Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil.

Master's and replica's alias DB contain both the same set of cert-pki-ca certs and private keys. Despite having private keys assigned to public certs, certutil doesn't show the u flag on the replica.

PKI alias DB on master

# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      2660269f34b27aacfd1f265302ca6b33736cd13a   NSS Certificate DB:Server-Cert cert-pki-ca
< 1> rsa      f2631bd6d3c8c2639fa1a461fe228a931f3eb47a   caSigningCert cert-pki-ca
< 2> rsa      b689e2b40a87df441e287d269d8d730193154786   ocspSigningCert cert-pki-ca
< 3> rsa      4e06e46980a3ff4d9258c6026d4307714c617a11   subsystemCert cert-pki-ca
< 4> rsa      1bd48ff2b47b598063a260b697e59fc8b297bc56   auditSigningCert cert-pki-ca

PKI alias DB on replica

# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CT,C,C
ocspSigningCert cert-pki-ca                                  ,,   
auditSigningCert cert-pki-ca                                 ,,P  
subsystemCert cert-pki-ca                                    ,,   
Server-Cert cert-pki-ca                                      u,u,u
# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      f2631bd6d3c8c2639fa1a461fe228a931f3eb47a   caSigningCert cert-pki-ca
< 1> rsa      b689e2b40a87df441e287d269d8d730193154786   ocspSigningCert cert-pki-ca
< 2> rsa      1bd48ff2b47b598063a260b697e59fc8b297bc56   auditSigningCert cert-pki-ca
< 3> rsa      4e06e46980a3ff4d9258c6026d4307714c617a11   subsystemCert cert-pki-ca
< 4> rsa      71a9945b4b5bd6c9daedb32520f5572aaf1e8c44   NSS Certificate DB:Server-Cert cert-pki-ca

master has 4 more entries in its sqlite db than replica. Since we are missing 4 u flags, I assume that the missing entries are related to missing u flags.

cert9.db on master

select count(*) from nssPublic;
count(*)
13

cert9.db on replica

select count(*) from nssPublic;
count(*)
9
# cp -R /etc/pki/pki-tomcat/alias .
# cd alias/
# certutil -d . -f pwdfile.txt -F -n "ocspSigningCert cert-pki-ca"
# certutil -d . -f pwdfile.txt -F -n "subsystemCert cert-pki-ca"
# certutil -d . -f pwdfile.txt -F -n "auditSigningCert cert-pki-ca"
# certutil -d . -f pwdfile.txt -F -n "Server-Cert cert-pki-ca"
# sqlite3 cert9.db 
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> .mode quote

master

sqlite> select * from nssPublic;
528660607,X'00000002',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00000000',X'a5005a',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,X'01',NULL,X'01',NULL,NULL,NULL,X'01',X'01',X'00',X'a5005a',X'a5005a',X'dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe733',NULL,X'010001',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00',X'01',NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
528660614,X'00000001',X'01',X'00',X'63615369676e696e674365727420636572742d706b692d6361',NULL,X'308203e8308202d0a003020102020101300d06092a864886f70d01010b0500305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479301e170d3138303632313136323631305a170d3338303632313136323631305a305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe7330203010001a381c23081bf301f0603551d23041830168014295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301d0603551d0e04160414295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b305c06082b060105050701010450304e304c06082b060105050730018640687474703a2f2f6970612d63612e646f6d2d3137312d3231382e6162632e69646d2e6c61622e656e672e6272712e7265646861742e636f6d2f63612f6f637370300d06092a864886f70d01010b050003820101007ef6e5e3d8f4a221e155c7e18a12c18ff732e4437d2dbf0639ecbaf33e0fe179008e0979232a8cbbea926b0350fb605e0307af754ea1e9dcb3b4f6267f364cd0b585681ea12d966d00eea73f0ad83de5a9957392409a973cd646502f22d2caa26d7b5c7a89574141a9547e387585a7bc3ee148fe5df3fc440b370b2b2886cc910fe3cd252f6f05b6d146c24f7c442966d14f4ae3030d21f2fe88970c448d2f0847c5e28f28c363e45c5e6acb0c1e2ffd7e967b41799d7d842647bb887638eaad9cdd74442a53693cce1e6962f599749a0b8d813649878265d541726e2304753a20239e499d5d00cc653d9dd72fbc8f90d896721199f604cba0f3f581875e700a',NULL,X'00000000',X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
528660615,X'ce534353',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ce534352',X'ce534352',X'ce534352',X'ce534352',NULL,NULL,NULL,NULL,X'00',X'4106f312a5c29f1c9da0bcb7beb3b77224e2d811',X'3ef46a80a5e921a6947d25d3618e9994',NULL,NULL,NULL,NULL
sqlite> .q
# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CT,C,C

replica

sqlite> select * from nssPublic;
128010708,X'00000001',X'01',X'00',X'63615369676e696e674365727420636572742d706b692d6361',NULL,X'308203e8308202d0a003020102020101300d06092a864886f70d01010b0500305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479301e170d3138303632313136323631305a170d3338303632313136323631305a305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe7330203010001a381c23081bf301f0603551d23041830168014295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301d0603551d0e04160414295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b305c06082b060105050701010450304e304c06082b060105050730018640687474703a2f2f6970612d63612e646f6d2d3137312d3231382e6162632e69646d2e6c61622e656e672e6272712e7265646861742e636f6d2f63612f6f637370300d06092a864886f70d01010b050003820101007ef6e5e3d8f4a221e155c7e18a12c18ff732e4437d2dbf0639ecbaf33e0fe179008e0979232a8cbbea926b0350fb605e0307af754ea1e9dcb3b4f6267f364cd0b585681ea12d966d00eea73f0ad83de5a9957392409a973cd646502f22d2caa26d7b5c7a89574141a9547e387585a7bc3ee148fe5df3fc440b370b2b2886cc910fe3cd252f6f05b6d146c24f7c442966d14f4ae3030d21f2fe88970c448d2f0847c5e28f28c363e45c5e6acb0c1e2ffd7e967b41799d7d842647bb887638eaad9cdd74442a53693cce1e6962f599749a0b8d813649878265d541726e2304753a20239e499d5d00cc653d9dd72fbc8f90d896721199f604cba0f3f581875e700a',NULL,X'00000000',X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
128010709,X'ce534353',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ce534352',X'ce534352',X'ce534352',X'ce534352',NULL,NULL,NULL,NULL,X'00',X'4106f312a5c29f1c9da0bcb7beb3b77224e2d811',X'3ef46a80a5e921a6947d25d3618e9994',NULL,NULL,NULL,NULL
sqlite> .q
# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu

The entry with CKA_CLASS (a0) value CKO_PUBLIC_KEY (00000002) is missing from the replica DB. After I copied the value from the master DB to the replica DB, the u flag appears:

sqlite> INSERT INTO "nssPublic" VALUES(528660607,X'00000002',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00000000',X'a5005a',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,X'01',NULL,X'01',NULL,NULL,NULL,X'01',X'01',X'00',X'a5005a',X'a5005a',X'dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe733',NULL,X'010001',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00',X'01',NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
sqlite> .q
# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu

This issue may be caused by / related to
https://bugzilla.redhat.com/show_bug.cgi?id=1596130
(certutil -A does not associate certificate with private key)

Another JSS commit addresses a similar issue for LWCA key replication:
https://github.com/dogtagpki/jss/pull/15

JSS 4.4.5 will fix the issue for new ipa-replica-install installations as well as migrations from 4.6.4 and earlier. The fix will not repair replicas that have been installedw ith 4.6.90.pre1 and 4.6.90.pre2, though.

master:

  • 6896c90 Extend Sub CA replication test
  • a7627a7 Require JSS 4.4.5 with replication fixes

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata