Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512952 - cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
Summary: cert renewal is failing when ipa ca cert is renewed from self-signed > extern...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Depends On: 1514041
TreeView+ depends on / blocked
Reported: 2017-11-14 13:53 UTC by Mohammad Rizwan
Modified: 2019-02-11 15:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Mohammad Rizwan 2017-11-14 13:53:12 UTC
Description of problem:
cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install ipa master with self-signed ca
2. Use ipa-cacert-update with --external-ca and sign given CSR with External CA
3. Again convert external CA to self-signed CA
4. forward the date to the grace period of RA agent cert.
5. check the certificate status i.e getcert list

Actual results:
ca-error: Error 7 connecting to http://master.testrelm.test:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.

Expected results:
certs should be renewed

Additional info:
Tried on 7.3 and found same behaviour.

Comment 2 Michal Reznik 2017-11-15 08:43:08 UTC
Was able to reproduce the issue too. Found this after "ipa-cacert-manage renew --self-signed" in the journal:

Nov 14 12:40:31 master.testrelm.test server[15039]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[before_stop]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[stop]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[configure_stop]
Nov 14 12:40:32 master.testrelm.test systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
Nov 14 12:40:32 master.testrelm.test stop_pkicad[15029]: Stopped pki_tomcatd
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Updating entry cn=b7bf6750-22ab-42ae-bb5c-8b430cfd0f50,ou=authorities,ou=ca,o=ipaca
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Updating CS.cfg
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Traceback (most recent call last):
                                                                       File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 223, in <module>
                                                                       File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 217, in main
                                                                       File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main
                                                                         ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
                                                                     KeyError: 'caSigningCert cert-pki-ca'
Nov 14 12:40:35 master.testrelm.test certmonger[15098]: Certificate named "caSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.

Comment 3 Florence Blanc-Renaud 2017-11-16 14:13:21 UTC
The issue seems linked to certutil behavior which has changed.

The script /usr/libexec/ipa/certmonger/renew_ca_cert is performing the following steps:
1- removes the CA certs from /etc/pki/pki-tomcat/alias
2- retrieves the CA certs from LDAP (below cn=certificates,cn=ipa,cn=etc,$BASEDN)
3- adds the certs obtained in 2 to /etc/pki/pki-tomcat/alias
4- modifies the trust flags of the external CA if 'caSigningCert cert-pki-ca' was externally signed.

The bug happens in the 4th step. The script is using certutil -O -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' to retrieve the cert chain of caSigningCert cert-pki-ca, and assumes that the external CA is the before-last cert (if it exists).

With nss-tools 3.28.4-1.2.el7_3, the output is the following:
# certutil -O -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

=> no before-last cert, code does not executed. This is expected as the cert is self-signed, meaning there is no ext CA to trust.

But with nss-tools 3.28.4-15.el7_4, the output is different:
# certutil -O -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]

  "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

    "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

Note that the cert is self-signed, so I would be expecting the output to contain only caSigningCert cert-pki-ca.
With this output, the code assumes 'caSigningCert cert-pki-ca' is the external CA and falls in the issue.

Comment 4 Florence Blanc-Renaud 2017-11-16 14:45:07 UTC
Opened against nss component.

Comment 5 Rob Crittenden 2018-02-13 18:44:55 UTC
Makes me wonder if existing certs should be removed before installing the new CA. That would resolve relying on behavior of the NSS tool and I don't think this would cause any chaining issues as the private key wouldn't change.

Note You need to log in before you can comment on or make changes to this bug.