cacert renewal using 'ipa-cacert-manage renew' fails on replica (with ca) . Same used to work in earlier builds . Issue found in pr ci tests .
ipa-cacert-manage renew
cacert renewal fails on Replica
cacert renewal should pass on Replica .
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server [root@dhcp207-43 ~]# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.6.90test-0.fc28.x86_64 freeipa-client-4.6.90test-0.fc28.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.10-2.fc28.x86_64 pki-ca-10.6.1-3.fc28.noarch krb5-server-1.16.1-7.fc28.x86_64 [root@dhcp207-43 ~]#
Please find the attached log files which contains debug info of cacert renew along with logs from pki system.
Issue reproducible with the 4.6.90.pre2-3.fc28. The journal for certmonger shows the following errors:
/dogtag-ipa-ca-renew-agent-submit[72766]: Forwarding request to dogtag-ipa-renew-agent /dogtag-ipa-ca-renew-agent-submit[72766]: dogtag-ipa-renew-agent returned 5 /dogtag-ipa-ca-renew-agent-submit[72777]: Forwarding request to dogtag-ipa-renew-agent /dogtag-ipa-ca-renew-agent-submit[72777]: dogtag-ipa-renew-agent returned 5 /dogtag-ipa-ca-renew-agent-submit[72792]: Forwarding request to dogtag-ipa-renew-agent /dogtag-ipa-ca-renew-agent-submit[72792]: dogtag-ipa-renew-agent returned 0 /stop_pkicad[72802]: Stopping pki_tomcatd /stop_pkicad[72802]: Stopped pki_tomcatd /renew_ca_cert[72847]: Failed to backup CS.cfg: [Errno 1] Operation not permitted: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp' /renew_ca_cert[72847]: Updating entry cn=157bb523-0fff-4cef-9b18-afa05ec64d96,ou=authorities,ou=ca,o=ipaca /renew_ca_cert[72847]: Not updating CS.cfg /renew_ca_cert[72847]: Traceback (most recent call last): File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 224, in <module> main() File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 218, in main _main() File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main for ca_nick in db.find_root_cert(nickname)[-2:-1]: File "/usr/lib/python3.6/site-packages/ipaserver/install/certs.py", line 538, in find_root_cert root_nicknames = self.nssdb.get_trust_chain(nickname) File "/usr/lib/python3.6/site-packages/ipapython/certdb.py", line 511, in get _trust_chain result = self.run_certutil(["-O", "-n", nickname], capture_output=True) File "/usr/lib/python3.6/site-packages/ipapython/certdb.py", line 302, in run_certutil return ipautil.run(new_args, stdin, cwd=self.secdir, **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 572, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-O', '-n', 'caSigningCert cert-pki-ca', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] returned non-zero exit status 255: 'certutil: Could not find: caSigningCert cert-pki-ca\n: PR_FILE_NOT_FOUND_ERROR: File not found\n')
Metadata Update from @ftweedal: - Issue assigned to ftweedal
On the replica, the trust flags are not properly set after ipa-replica-install --setup-ca:
# certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C ocspSigningCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,P subsystemCert cert-pki-ca ,, Server-Cert cert-pki-ca u,u,u
During ipa-cacert-manage renew, the post-save command /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" misbehaves. This script is cleaning the list of external CAs before adding the current CA. In order to find the external CAs, it walks through the list of certs in the NSS db /etc/pki/pki-tomcat/alias that do not have a private key (ie the ones without the u flag). As some certs are missing the u flag, they are wrongly considered as External CAs, for instance caSigningCert cert-pki-ca is removed. In a later step, the script obtains the CA certs from LDAP and adds them into the nss db. The problem is that IPA CA is added with a nickname built from its entry DN => IPA CA is now named 'DOMAIN-COM IPA CA' instead of 'caSigningCert cert-pki-ca'.
/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
Metadata Update from @frenaud: - Assignee reset
Metadata Update from @frenaud: - Issue assigned to ftweedal
Metadata Update from @cheimes: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.7
The u flag is a dynamic flag. From man certutil:
u
man certutil
Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil.
Master's and replica's alias DB contain both the same set of cert-pki-ca certs and private keys. Despite having private keys assigned to public certs, certutil doesn't show the u flag on the replica.
# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u # certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -K certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 2660269f34b27aacfd1f265302ca6b33736cd13a NSS Certificate DB:Server-Cert cert-pki-ca < 1> rsa f2631bd6d3c8c2639fa1a461fe228a931f3eb47a caSigningCert cert-pki-ca < 2> rsa b689e2b40a87df441e287d269d8d730193154786 ocspSigningCert cert-pki-ca < 3> rsa 4e06e46980a3ff4d9258c6026d4307714c617a11 subsystemCert cert-pki-ca < 4> rsa 1bd48ff2b47b598063a260b697e59fc8b297bc56 auditSigningCert cert-pki-ca
# certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C ocspSigningCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,P subsystemCert cert-pki-ca ,, Server-Cert cert-pki-ca u,u,u # certutil -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt -K certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa f2631bd6d3c8c2639fa1a461fe228a931f3eb47a caSigningCert cert-pki-ca < 1> rsa b689e2b40a87df441e287d269d8d730193154786 ocspSigningCert cert-pki-ca < 2> rsa 1bd48ff2b47b598063a260b697e59fc8b297bc56 auditSigningCert cert-pki-ca < 3> rsa 4e06e46980a3ff4d9258c6026d4307714c617a11 subsystemCert cert-pki-ca < 4> rsa 71a9945b4b5bd6c9daedb32520f5572aaf1e8c44 NSS Certificate DB:Server-Cert cert-pki-ca
master has 4 more entries in its sqlite db than replica. Since we are missing 4 u flags, I assume that the missing entries are related to missing u flags.
select count(*) from nssPublic; count(*) 13
select count(*) from nssPublic; count(*) 9
# cp -R /etc/pki/pki-tomcat/alias . # cd alias/ # certutil -d . -f pwdfile.txt -F -n "ocspSigningCert cert-pki-ca" # certutil -d . -f pwdfile.txt -F -n "subsystemCert cert-pki-ca" # certutil -d . -f pwdfile.txt -F -n "auditSigningCert cert-pki-ca" # certutil -d . -f pwdfile.txt -F -n "Server-Cert cert-pki-ca" # sqlite3 cert9.db SQLite version 3.22.0 2018-01-22 18:45:57 Enter ".help" for usage hints. sqlite> .mode quote
sqlite> select * from nssPublic; 528660607,X'00000002',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00000000',X'a5005a',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,X'01',NULL,X'01',NULL,NULL,NULL,X'01',X'01',X'00',X'a5005a',X'a5005a',X'dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe733',NULL,X'010001',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00',X'01',NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL 528660614,X'00000001',X'01',X'00',X'63615369676e696e674365727420636572742d706b692d6361',NULL,X'308203e8308202d0a003020102020101300d06092a864886f70d01010b0500305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479301e170d3138303632313136323631305a170d3338303632313136323631305a305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe7330203010001a381c23081bf301f0603551d23041830168014295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301d0603551d0e04160414295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b305c06082b060105050701010450304e304c06082b060105050730018640687474703a2f2f6970612d63612e646f6d2d3137312d3231382e6162632e69646d2e6c61622e656e672e6272712e7265646861742e636f6d2f63612f6f637370300d06092a864886f70d01010b050003820101007ef6e5e3d8f4a221e155c7e18a12c18ff732e4437d2dbf0639ecbaf33e0fe179008e0979232a8cbbea926b0350fb605e0307af754ea1e9dcb3b4f6267f364cd0b585681ea12d966d00eea73f0ad83de5a9957392409a973cd646502f22d2caa26d7b5c7a89574141a9547e387585a7bc3ee148fe5df3fc440b370b2b2886cc910fe3cd252f6f05b6d146c24f7c442966d14f4ae3030d21f2fe88970c448d2f0847c5e28f28c363e45c5e6acb0c1e2ffd7e967b41799d7d842647bb887638eaad9cdd74442a53693cce1e6962f599749a0b8d813649878265d541726e2304753a20239e499d5d00cc653d9dd72fbc8f90d896721199f604cba0f3f581875e700a',NULL,X'00000000',X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL 528660615,X'ce534353',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ce534352',X'ce534352',X'ce534352',X'ce534352',NULL,NULL,NULL,NULL,X'00',X'4106f312a5c29f1c9da0bcb7beb3b77224e2d811',X'3ef46a80a5e921a6947d25d3618e9994',NULL,NULL,NULL,NULL sqlite> .q # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C
sqlite> select * from nssPublic; 128010708,X'00000001',X'01',X'00',X'63615369676e696e674365727420636572742d706b692d6361',NULL,X'308203e8308202d0a003020102020101300d06092a864886f70d01010b0500305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479301e170d3138303632313136323631305a170d3338303632313136323631305a305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe7330203010001a381c23081bf301f0603551d23041830168014295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301d0603551d0e04160414295dbe7f1b3beaf4e45db3d7ff10e3ac84c2d92b305c06082b060105050701010450304e304c06082b060105050730018640687474703a2f2f6970612d63612e646f6d2d3137312d3231382e6162632e69646d2e6c61622e656e672e6272712e7265646861742e636f6d2f63612f6f637370300d06092a864886f70d01010b050003820101007ef6e5e3d8f4a221e155c7e18a12c18ff732e4437d2dbf0639ecbaf33e0fe179008e0979232a8cbbea926b0350fb605e0307af754ea1e9dcb3b4f6267f364cd0b585681ea12d966d00eea73f0ad83de5a9957392409a973cd646502f22d2caa26d7b5c7a89574141a9547e387585a7bc3ee148fe5df3fc440b370b2b2886cc910fe3cd252f6f05b6d146c24f7c442966d14f4ae3030d21f2fe88970c448d2f0847c5e28f28c363e45c5e6acb0c1e2ffd7e967b41799d7d842647bb887638eaad9cdd74442a53693cce1e6962f599749a0b8d813649878265d541726e2304753a20239e499d5d00cc653d9dd72fbc8f90d896721199f604cba0f3f581875e700a',NULL,X'00000000',X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL 128010709,X'ce534353',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,X'305531333031060355040a0c2a444f4d2d3137312d3231382e4142432e49444d2e4c41422e454e472e4252512e5245444841542e434f4d311e301c06035504030c15436572746966696361746520417574686f72697479',X'020101',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ce534352',X'ce534352',X'ce534352',X'ce534352',NULL,NULL,NULL,NULL,X'00',X'4106f312a5c29f1c9da0bcb7beb3b77224e2d811',X'3ef46a80a5e921a6947d25d3618e9994',NULL,NULL,NULL,NULL sqlite> .q # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
The entry with CKA_CLASS (a0) value CKO_PUBLIC_KEY (00000002) is missing from the replica DB. After I copied the value from the master DB to the replica DB, the u flag appears:
a0
00000002
sqlite> INSERT INTO "nssPublic" VALUES(528660607,X'00000002',X'01',X'00',X'a5005a',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00000000',X'a5005a',X'f2631bd6d3c8c2639fa1a461fe228a931f3eb47a',NULL,X'01',NULL,X'01',NULL,NULL,NULL,X'01',X'01',X'00',X'a5005a',X'a5005a',X'dd9efdc3dd31e32930b793dba16e871258b09c3de17eb3846cf20add29879099255f2b65c047fbacbfff749c41538155a846f5c74f14968e20030d40aafe3bf59adecf968efbf66bb63a555e260d99049275c83c2ef07244f3fc56f1a3e429c8aa22dbeb129dc2321a89ee5de0ae670a7128e7c3e20ea03e5df0d24d5cb1fb73f46467d1ba1e01c7b92e90e9f5523a946f622cbf75a463f0e1165c211cf55d7b364706e9a9ce024dad3b5fb02537fa424f52f75dd469ab59bf8ac07eb4360e9047f98478424660aa9116b586ff48cc2a223f0b038114edf1554bd1ba47556ff0aad3f98bf78745844495dba7898b0f7f7ab892b8929f387dfad85cadeaefe733',NULL,X'010001',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00',X'01',NULL,NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL); sqlite> .q # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
This issue may be caused by / related to https://bugzilla.redhat.com/show_bug.cgi?id=1596130 (certutil -A does not associate certificate with private key)
https://github.com/dogtagpki/jss/pull/13 should resolve this issue (I hope).
Another JSS commit addresses a similar issue for LWCA key replication: https://github.com/dogtagpki/jss/pull/15
JSS 4.4.5 will fix the issue for new ipa-replica-install installations as well as migrations from 4.6.4 and earlier. The fix will not repair replicas that have been installedw ith 4.6.90.pre1 and 4.6.90.pre2, though.
ipa-replica-install
master:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.