#8618 ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
Closed: fixed 5 months ago by frenaud. Opened 6 months ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1780782

Description of problem:

The ipa-cert-fix tool fails with the error "Unable to find CSR for sslserver
cert" when the Dogtag CA SSL CSR is missing from /etc/pki/pki-tomcat/ca/CS.cfg.


Actual results:

[Debug output from ipa-cert-fix when the error is triggered]

INFO: Fixing the following system certs: ['sslserver', 'subsystem',
'ca_ocsp_signing', 'ca_audit_signing']
INFO: Renewing the following additional certs: ['7', '268369922']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert

Expected results:
The ipa-cert-fix tool completes successfully.

Additional info:
The error can be bypassed if the related certmonger tracking file is stored in
/var/lib/certmonger/requests AND contains a copy of the PKCS#10 request, which
can be converted into a sigle line string and added to CS.cfg
(ca.sslserver.certreq=MIIDQTCCAik...).

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1780782

6 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

6 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5338

6 months ago

master:

  • b8ece64 ipatests: add a test for ipa-cert-fix
  • 1a988ba ipa-cert-fix: do not fail when CSR is missing from CS.cfg
  • 98711e8 ipatests: add test_ipa_cert_fix to the nightly definitions

ipa-4-9:

  • f36e518 ipatests: add a test for ipa-cert-fix
  • eb711f7 ipa-cert-fix: do not fail when CSR is missing from CS.cfg
  • 7f2be8a ipatests: add test_ipa_cert_fix to the nightly definitions

ipa-4-8:

  • c9e0aa3 ipatests: add a test for ipa-cert-fix
  • 8f53cc3 ipa-cert-fix: do not fail when CSR is missing from CS.cfg
  • c1207c3 ipatests: add test_ipa_cert_fix to the nightly definitions

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Metadata Update from @abbra:
- Custom field changelog adjusted to ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag's CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger.

5 months ago

Login to comment on this ticket.

Metadata