Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512322 - [RFE] Unable to re-key external CA
Summary: [RFE] Unable to re-key external CA
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-12 19:13 UTC by Petr Vobornik
Modified: 2018-11-02 01:54 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3237961 None None None 2017-11-21 09:40:40 UTC

Description Petr Vobornik 2017-11-12 19:13:32 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/7232

> When using an externally-signed IPA CA and wishing to change the
> external root chaining. If you install a new external CA
> cert which has the same subject name, but a different public key. A
> new IPA CA CSR has been generated and has been signed by the new external CA.
> However, when you attempt to change the chaining ('ipa-cacert-manage
> renew --external-cert-file=<new IPA CA cert> --external-cert-file=<new root
> CA cert>'), an error is returned indicating a problem with subject key
> comparison -->

```
ipa: DEBUG: stderr=ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x540d368>
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57069456
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 117, in run
    rc = self.renew()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 165, in renew
    return self.renew_external_step_2(ca, cert)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 282, in renew_external_step_2
    EMPTY_TRUST_FLAGS)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 367, in put_ca_cert_nss
    config_ipa, config_compat)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert
    config_ipa=config_ipa, config_compat=config_compat)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 182, in update_ca_cert
    raise ValueError("subject public key info mismatch")

ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: ValueError: subject public key info mismatch
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: subject public key info mismatch                      
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.
```

> In certstore.py, the public key of the new cert is compared to same of the
> current cert stored in 389 -->

```
def update_ca_cert(ldap, base_dn, dercert, trusted=None, ext_key_usage=None,
                   config_ipa=False, config_compat=False):
    """
    Update existing entry for a CA certificate in the certificate store.
    """
    subject, issuer_serial, public_key = _parse_cert(dercert)

    filter = ldap.make_filter({'ipaCertSubject': subject})
    result, _truncated = ldap.find_entries(
        base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
                   base_dn),
        filter=filter,
        attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial',
                    'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
                    'ipaConfigString', 'cACertificate;binary'])
    entry = result[0]
    dn = entry.dn

    for old_cert in entry['cACertificate;binary']:
        # Check if we are adding a new cert
        if old_cert == dercert:
            break
    else:
        # We are adding a new cert, validate it
        if entry.single_value['ipaCertSubject'].lower() != subject.lower():
            raise ValueError("subject name mismatch")
        if entry.single_value['ipaPublicKey'] != public_key:
            raise ValueError("subject public key info mismatch")
        entry['ipaCertIssuerSerial'].append(issuer_serial)
        entry['cACertificate;binary'].append(dercert)
```

Comment 2 Petr Vobornik 2017-11-12 19:13:47 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7232

Comment 5 Florence Blanc-Renaud 2018-10-17 16:35:05 UTC
Fraser, could you clarify the use case? re-keying the external CA does not look like a common task.

Also I am moving this BZ to a RFE.


Note You need to log in before you can comment on or make changes to this bug.