Bug 1318903
| Summary: | ipa server install failing when SUBCA signs the cert | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Geetika Kapoor <gkapoor> | ||||||||||||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||
| Priority: | unspecified | ||||||||||||||||
| Version: | 7.2 | CC: | akasurde, gkapoor, jcholast, pvoborni, rcritten | ||||||||||||||
| Target Milestone: | rc | ||||||||||||||||
| Target Release: | --- | ||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||
| OS: | Unspecified | ||||||||||||||||
| Whiteboard: | |||||||||||||||||
| Fixed In Version: | ipa-4.4.0-1.el7 | Doc Type: | Bug Fix | ||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||
| Last Closed: | 2016-11-04 05:52:20 UTC | Type: | Bug | ||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
| Embargoed: | |||||||||||||||||
| Attachments: |
|
||||||||||||||||
Honza, could you investigate? Geetika, the error says "CA certificate chain in cert, chain is incomplete" are you sure that the provided certs are indeed correct and contains the required chain. Geetika, could you please attach /var/log/ipaserver-install.log? The output you provided does not contain enough information to debug the issue. I have used a subCA certificate and the component used here used as CA is "dogtag"(RHCS). Since it is a subCA it has more than 1 certificate in CA certificate chain.
Here is the log stack:
<log stack>
2016-03-16T09:08:12Z DEBUG stderr=
2016-03-16T09:08:12Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 308, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287, in validate
for nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501, in _configure
validator.next()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
install_check(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 603, in install_check
ca.install_check(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 61, in install_check
options.external_cert_files, options.subject)
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1028, in load_external_cert
(", ".join(files)))
2016-03-16T09:08:12Z DEBUG The ipa-server-install command failed, exception: ScriptError: CA certificate chain in cert, chain is incomplete
2016-03-16T09:08:12Z ERROR CA certificate chain in cert, chain is incomplete
This is the same snippet as in the bug description. I'm going to need the full log, otherwise I can only assume that the error message is right and you are not providing the full CA certificate chain. External CA install with more than 1 CA certificate in the chain works fine for me. Sure i'll provide it today.Thanks Created attachment 1143275 [details]
Ipa.log
Ipa server logs are attached
This is apparently not the correct log, it fails with different error: 2016-04-04T09:28:58Z DEBUG The ipa-server-install command failed, exception: ScriptError: Failed to load /root/file4 2016-04-04T09:28:58Z ERROR Failed to load /root/file4 yeah I have pasted a different server cert.I'll correct that. Thanks I'll share the logs with correct certificate.. Created attachment 1143311 [details]
correct_ipa.log
The CA certificate with subject name "O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate" is missing, hence the ipa-server-install error message. Could you please attach the "cert" and "chain" files used in --external-cert-file as well? Signed Cert: -----BEGIN CERTIFICATE----- MIIDsDCCApigAwIBAgIBBTANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtleGFt cGxlLm9yZzEeMBwGA1UEAwwVQ0EgU3Vib3JkaW5hdGVTaWduaW5nMB4XDTE2MDQw NDExNTI1OFoXDTE4MDMyNTExNDc0OFowRjEkMCIGA1UECgwbSURNLkxBQi5FTkcu UkRVMi5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3m6Ww/hymmbHAFuRh+7cP YNWoYt5eVk0CgPynHQguTnDwYjNroERY4w2+SQ8lowBaM/fTxQRJaRTcRqkuQg5d LbqULUwp+Ea1xnifgJ6SF+XY+q2SyLi3gEBZY8W3UD0ML/2fdFtsQJnmrOwO2Zh5 7GjRp4Fs82QHkbMkjah3YiHWR0FiiGe4PZMFgPsFz07DoIjptxMR6SDbg6rqDyjF T/bmdSTsrzKjygAUPAgymxQ1Xe2Hd3LtHGIhdZG41kSzgBl4xu/HLUhzc/8iWK2F dMIljv5eWj5Ok+CcAEQeu1ZdL1fz3SN1hFmA7Ls2HQnLW9l2Zu/QmWNJxqgRL35N AgMBAAGjgbgwgbUwHwYDVR0jBBgwFoAUo8bKJPVYz0ZdtXFMgEoNtGUVz8UwHQYD VR0OBBYEFOkpalcPvGxPkGnPKFxHStJcJNNnMA8GA1UdEwEB/wQFMAMBAf8wDgYD VR0PAQH/BAQDAgHGMFIGCCsGAQUFBwEBBEYwRDBCBggrBgEFBQcwAYY2aHR0cDov L2drYXBvb3ItbG9jYWwub3MxLnBoeDIucmVkaGF0LmNvbToxODA4MC9jYS9vY3Nw MA0GCSqGSIb3DQEBCwUAA4IBAQA65pCcoyk0J0bivpX0X0+jd6N3wR0fTFdu31NT 5CgibRNZQFZ8H56wYXYOkycEVUz+F7PEr6UiruAfbwoxoPEqyTKEZimQNnj5tlnw NIHV1pa6kTpUg49k098y+ZQDwoWW/R+FGAKl/Tno1MPyfeXlvX5Z9i/PCsjYhRWP SdZrFRpbWpzfT5iWrvfN4O12VBi8fxePg13V4kXfW6489C/Vj9U7x+SRJMs+nkUO qLthUH6s8DSNC8cJLDfqCJQLsnCWhh9PS0B3iELvxF96d1YUw4tBgtIsNnA+fxIV HKMOv9D3glL1ULW2D2mz02VoDGR7ZFWo3gFHBgZtvqK5DUO3 -----END CERTIFICATE----- chain of ca: ----------- -----BEGIN CERTIFICATE----- MIIDuDCCAqCgAwIBAgIBMjANBgkqhkiG9w0BAQsFADBPMSwwKgYDVQQKDCNvczEu cGh4Mi5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA0MDQxMTQ3NDhaFw0xODAzMjUxMTQ3NDha MDYxFDASBgNVBAoMC2V4YW1wbGUub3JnMR4wHAYDVQQDDBVDQSBTdWJvcmRpbmF0 ZVNpZ25pbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/o2+82gN mhAbpfM325cLpjHjxvAJn7QDHT/xC1FsPU6SE/P9yxpj8u0YJqzR08FNQYjd6aDh V04wwFT7lPmE8ArV56wBceUInGdtQROEme6Zqx/znMELu6o4eewvjJNj+zYLYpNe 0Zq2lUGbcDfaglNoBPJiErC1T1UmAFX7PPDpnt6h2CH3uJJrEKxA2q7BhmHt5i7Q 7NSeBQWqpoFpe7v9gc4DDdPXPt2N+PcrYr6Yn1RQocW6E5cYSCnc84QEdiINWBTQ gudV18MCT0V5vp0xeRcu54Yr1VESh8ah6PrAqGvET32L4SzsbisyP7h6Jv2j/bo0 kP6B6S5mIbR1AgMBAAGjgbcwgbQwHwYDVR0jBBgwFoAUniI2Y+YqeTO3ZNCvA/sU Ce3WrkYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYE FKPGyiT1WM9GXbVxTIBKDbRlFc/FMFEGCCsGAQUFBwEBBEUwQzBBBggrBgEFBQcw AYY1aHR0cDovL2drYXBvb3ItbG9jYWwub3MxLnBoeDIucmVkaGF0LmNvbTo4MDgw L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBACIgq2RYGKTvVevqHzZrjTj87yZL sij44sqhJXAFdjRRqjcaPM34H/ecK+RPL42CLhVNnutaY+OkuZ2UeFer5CQ3pFvJ VaLmy97PMythr2ldMkEfbtlKojUAc1Y/GyO/qynyIlgUdIvdeW9qdvhEnQzmhNEu OcI0JQgMMOK2VKRPno8xfTqpNcGTLS+a0vL8fjBhjLxpoGDd5l3TjRfR+GE+5CV9 FsgeHsazZLuHiKYbfGbPG3pMM/vuNRMsLch5cPBC2BdF67FQoZDnR0irLF4EgEOs TyCW9BAmyLfwR0yFOtoVSNYPjq3TQKwFzidoM2/mZZrIpocaxdqbJzAVG8Y= -----END CERTIFICATE----- OK, since you are apparently missing one of the required certificates ("O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate"), the error message is correct.
I'm leaving the bug open, because I think the error message should be improved to include subject name of the missing certificate for easier troubleshooting.
Here in "chain of ca certificates" it has two certificates(CA and subCA) which is generated from dogtag.So chain is not missing. In 'chain', I see only a cert with subject: Subject: O=example.org, CN=CA SubordinateSigning It was issued by: Issuer: O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate But the "O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate" certificate is not present in 'chain' nor 'cert' file. Upstream ticket: https://fedorahosted.org/freeipa/ticket/5792 This issue was occurring because once certificate chain was missing.Now i have added both the certificate chain but now when i check logs it has: 2016-04-11T06:02:25Z DEBUG stderr= 2016-04-11T06:02:25Z DEBUG Starting external process 2016-04-11T06:02:25Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-IDM-LAB-ENG-RDU2-REDHAT-COM/' '-L' '-n' 'IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA' '-a' 2016-04-11T06:02:25Z DEBUG Process finished, return code=255 2016-04-11T06:02:25Z DEBUG stdout= 2016-04-11T06:02:25Z DEBUG stderr=certutil: Could not find cert: IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found But strange thing is there is nothing that we are doing if we get this stderr. Is this okay? we are proceeding and doing further installation. I have the setup scenario with me .I can share details .I am attaching ipa logs . along with that i am also attaching certificates used. /usr/sbin/ipa-server-install --external-cert-file=cert --external-cert-file=chain2 --external-cert-file=chain1 Created attachment 1145837 [details]
certificates.txt
Created attachment 1145838 [details]
ipa_11april.log
In this case when i try to do an uninstall using ipa-server-install --uninstall -vv,it passed but it gives a traceback also.I am attaching traceback as well as full logs for uninstall also.
<snip>
ipa : DEBUG stderr=Removed symlink /etc/systemd/system/multi-user.target.wants/ipa.service.
ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception
super(Continuous, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall
for nothing in self._uninstaller(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1646, in main
uninstall(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1148, in uninstall
sys.exit(rv)
SystemExit: 0
ipa.ipapython.install.cli.uninstall_tool(Server): INFO The ipa-server-install command was successful
Created attachment 1147147 [details]
uninstall_log_april11_install
(In reply to Geetika Kapoor from comment #18) > This issue was occurring because once certificate chain was missing.Now i > have added both the certificate chain but now when i check logs it has: > > 2016-04-11T06:02:25Z DEBUG stderr= > 2016-04-11T06:02:25Z DEBUG Starting external process > 2016-04-11T06:02:25Z DEBUG args='/usr/bin/certutil' '-d' > '/etc/dirsrv/slapd-IDM-LAB-ENG-RDU2-REDHAT-COM/' '-L' '-n' > 'IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA' '-a' > 2016-04-11T06:02:25Z DEBUG Process finished, return code=255 > 2016-04-11T06:02:25Z DEBUG stdout= > 2016-04-11T06:02:25Z DEBUG stderr=certutil: Could not find cert: > IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA > : PR_FILE_NOT_FOUND_ERROR: File not found > > > But strange thing is there is nothing that we are doing if we get this > stderr. > Is this okay? we are proceeding and doing further installation. We are creating a dirsrv NSS database and adding the cert there. The traceback in uninstallation is expected. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/517964f746e004801e5e73d61f3f5e16102b7299 Verified using IPA version :: ipa-server-4.4.0-12.el7.x86_64 Please find the attachment for verification logs. Marking BZ as verified. Created attachment 1202861 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |
Description of problem: Ipa doesn't work with subCA signed certificates while doing external signing. ipa server install failing when SUBCA signs the cert. When external CA is tested with IPA and we have CA certificate chain(example like in subca) in that case it fails Version-Release number of selected component (if applicable): RHEL 7.2 How reproducible: always Steps to Reproduce: 1. configure ipa-server-install --external-ca. use the csr request and generate a signed cert. ==> Works as expected 2./usr/sbin/ipa-server-install --external-cert-file=/root/file3 --external-cert-file=/root/file2 -vv Actual results: When we provide chain of certificate which has 2-3 certificates as it is a subCA then it doesn't work as expected. Expected results: It should be able to detech certificate chain Additional info: <log stack> 2016-03-16T09:08:12Z DEBUG stderr= 2016-03-16T09:08:12Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 308, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501, in _configure validator.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install install_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 603, in install_check ca.install_check(False, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 61, in install_check options.external_cert_files, options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1028, in load_external_cert (", ".join(files))) 2016-03-16T09:08:12Z DEBUG The ipa-server-install command failed, exception: ScriptError: CA certificate chain in cert, chain is incomplete 2016-03-16T09:08:12Z ERROR CA certificate chain in cert, chain is incomplete