Bug 1321652

Summary: ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes
Product: Red Hat Enterprise Linux 7 Reporter: Marco Rhodes <mrhodes>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: ksiddiqu, mbabinsk, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:37:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Bug 1321652 logs none

Description Marco Rhodes 2016-03-28 19:01:25 UTC 
Description of problem:
A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this -> 

Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com

When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below -> 

NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US"

The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point -> 

[IPA installer log]

2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1

[Apache error log]

[Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US'


However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64. 

The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py ->

 1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py

 2. Edit installutils.py and look for the following code at line 390 ->

    389  if quotes:
    390      newfile.append('%s%s"%s"\n' % (directive,separator, value))

    [Change line 390 to]:

             newfile.append('%s%s\'%s\'\n' % (directive,separator, value))


This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU -> 

# diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 
--- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig	2016-03-23 16:44:52.627394610 -0700
+++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py	2016-03-24 13:20:34.058402844 -0700
@@ -387,7 +387,7 @@
             valueset = True
             if value is not None:
                 if quotes:
-                    newfile.append('%s%s"%s"\n' % (directive, separator, value))
+                    newfile.append('%s%s\'%s\'\n' % (directive, separator, value))
                 else:
                     newfile.append('%s%s%s\n' % (directive, separator, value))
         else:


With the change, 'NSSNickname' in nss.conf now looks like this post-install -> 

# grep NSSNickname /etc/httpd/conf.d/nss.conf 
NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'
Comment 2 Petr Vobornik 2016-04-13 14:16:53 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5809
Comment 4 Martin Babinsky 2016-10-03 11:43:52 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/4d994bee60560438178ad9f0215f611ca60e32c3
https://fedorahosted.org/freeipa/changeset/ee96384c3ed5d93c8042e05461253e0c2ed5f721
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/a6833222ff797ac615a2a41d4845a32d286e1001
https://fedorahosted.org/freeipa/changeset/aed346a3592beb0be95e7d449b34285252bd449c
Comment 6 Michal Reznik 2017-06-02 11:54:35 UTC 
Verified on:
ipa-server-4.5.0-9.el7.x86_64

Please see logs attached.
Comment 7 Michal Reznik 2017-06-02 11:55:57 UTC 
Created attachment 1284415 [details]
Bug 1321652 logs
Comment 8 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304