Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1780782
Description of problem: The ipa-cert-fix tool fails with the error "Unable to find CSR for sslserver cert" when the Dogtag CA SSL CSR is missing from /etc/pki/pki-tomcat/ca/CS.cfg. Actual results: [Debug output from ipa-cert-fix when the error is triggered] INFO: Fixing the following system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing', 'ca_audit_signing'] INFO: Renewing the following additional certs: ['7', '268369922'] SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Creating a temporary sslserver cert INFO: Getting sslserver cert info for ca INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration ERROR: Unable to find CSR for sslserver cert Expected results: The ipa-cert-fix tool completes successfully. Additional info: The error can be bypassed if the related certmonger tracking file is stored in /var/lib/certmonger/requests AND contains a copy of the PKCS#10 request, which can be converted into a sigle line string and added to CS.cfg (ca.sslserver.certreq=MIIDQTCCAik...).
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1780782
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5338
master:
ipa-4-9:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag's CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger.
Login to comment on this ticket.