Bug 1324060
| Summary: | Installers fail when there are multiple versions of the same certificate | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marcel Kolaja <mkolaja> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 7.3 | CC: | akasurde, ekeck, ipa-maint, jcholast, mkolaja, pvoborni, rcritten | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.2.0-15.el7_2.13 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Server or replica installation sometimes failed when multiple versions of the same certificate, such as before and after renewal, were available to the installer. The installation no longer fails in this situation.
|
Story Points: | --- | ||||
| Clone Of: | 1321092 | Environment: | |||||
| Last Closed: | 2016-05-12 09:58:51 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1321092 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Marcel Kolaja
2016-04-05 12:35:49 UTC
Please provide the steps to verify this. 1. Create a new empty NSS database:
server# mkdir tmpdb
server# certutil -N -d tmpdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
2. Create a new CA certificate:
server# certutil -S -d tmpdb -n ca -s 'CN=Test CA' -t C,, -x -m 1 -2
Enter Password or Pin for "NSS Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
y
3. Create a new server certificate for server.example.com and export it to server.p12:
server# certutil -S -d tmpdb -n server -s 'CN=server.example.com' -t ,, -c ca -m 2
Enter Password or Pin for "NSS Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
server# pk12util -o server.p12 -n server -d tmpdb
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
4. Install CA-less IPA server using server.p12:
server# ipa-server-install --{dirsrv,http}-cert-file=server.p12
...
5. Renew the CA certificate:
server# certutil -S -d tmpdb -n ca -s 'CN=Test CA' -t C,, -k ca -x -m 3 -2
Enter Password or Pin for "NSS Certificate DB":
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
y
6. Create a new server certificate for replica.example.com and export it to replica.p12:
server# certutil -S -d tmpdb -n replica -s 'CN=replica.example.com' -t ,, -c ca -m 4
Enter Password or Pin for "NSS Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
server# pk12util -o replica.p12 -n replica -d tmpdb
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
7. Prepare IPA replica using replica.p12:
server# ipa-replica-prepare replica.example.com --{dirsrv,http}-cert-file=replica.p12
...
This command must not fail with:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
Verified using IPA version :: ipa-server-4.2.0-15.el7_2.15.x86_64 Please see attachment for console.log and steps used for verification. Created attachment 1149051 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1036.html |