Bug 1341249
Summary: | Subsequent external CA installation fails | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marc Muehlfeld <mmuehlfe> | ||||||||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 7.2 | CC: | edewata, jcholast, mbasti, pvoborni, rcritten | ||||||||||
Target Milestone: | rc | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | ipa-4.4.0-6.el7 | Doc Type: | If docs needed, set a value | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2016-11-04 05:54:33 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 1295338 | ||||||||||||
Attachments: |
|
Description
Marc Muehlfeld
2016-05-31 14:30:05 UTC
Additional info: It looks like the CA subsystem is disabled, what is the reason why IPA cannot connect to the port máj 31 12:14:08 vm-01.idm.example.com server[2546]: INFO: Starting ProtocolHandler ["http-bio-8443"] máj 31 12:14:08 vm-01.idm.example.com server[2546]: May 31, 2016 12:14:08 PM org.apache.coyote.AbstractProtocol start máj 31 12:14:08 vm-01.idm.example.com server[2546]: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] máj 31 12:14:08 vm-01.idm.example.com server[2546]: PKIListener: org.apache.catalina.core.StandardServer[after_start] máj 31 12:14:08 vm-01.idm.example.com server[2546]: PKIListener: Subsystem CA is disabled. máj 31 12:14:08 vm-01.idm.example.com server[2546]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. máj 31 12:14:08 vm-01.idm.example.com server[2546]: PKIListener: To enable the subsystem: máj 31 12:14:08 vm-01.idm.example.com server[2546]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca máj 31 12:14:08 vm-01.idm.example.com server[2546]: May 31, 2016 12:14:08 PM org.apache.catalina.startup.Catalina start máj 31 12:14:08 vm-01.idm.example.com server[2546]: INFO: Server startup in 4956 ms Marc is possible to get content of /var/log/pki/pki-tomcat/ca/selftests.log file? Created attachment 1163495 [details]
selftests.log
PKI debug log shows that most of PKI system certs are not valid. I'd be interested in output of: # getcert list the debug log part: [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByTag(signing) [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(caSigningCert cert-pki-ca,SSLCA) [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: caSigningCert cert-pki-ca [31/May/2016:16:14:04][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByTag(ocsp_signing) [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(ocspSigningCert cert-pki-ca,StatusResponder) [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: ocspSigningCert cert-pki-ca [31/May/2016:16:14:04][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate verification [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=sslserver [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByTag(sslserver) [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca,SSLServer) [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [31/May/2016:16:14:04][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: Server-Cert cert-pki-ca [31/May/2016:16:14:04][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate verification Created attachment 1163508 [details]
certificates
# getcert list
Number of certificates and requests being tracked: 0.
I've attached the certificate and the CA certificate I used. It's a self-created CA with Easy-RSA, so it's not a problem to attach them here.
Maybe a dumb question. The vm-01.idm.example.com.crt from comment 6 was created and used on 2016-05-31 as the bug report or later with different run on 2016-06-01? (In reply to Petr Vobornik from comment #7) > Maybe a dumb question. The vm-01.idm.example.com.crt from comment 6 was > created and used on 2016-05-31 as the bug report or later with different run > on 2016-06-01? I had to destroy and the IdM installation on this VM in the meantime to do some other testings. That's why the certificates I attached later have a newer date. Sorry if this caused confusion. According to jcholast the issue is that the provided cert is not a CA cert. It indicates a bug in validation - either in IPA or pkispawn. Endi, is it something that PKI should already checks(i.e. is there a regression)? I believe PKI is validating all system certificates during startup as shown in comment #5, but I don't see a code that validates the external CA certificate. I'm not sure whether NSS is validating the entire certificate chain implicitly. Please feel free to open a ticket if the chain is not being validated properly, and please also provide the instruction to reproduce the problem (i.e. how to generate the certificates using Easy-RSA). Thanks. Marc, could you share the exact commands how you generate the certs? Per, triage on Jul 20, IPA should also validate the flags. It needs to be investigated why it failed. I was able to reproduce this and found a bug in IPA in code which loads and validates the certificates. (But pkispawn should still validate them anyway, see bug 1224623.) Upstream ticket: https://fedorahosted.org/freeipa/ticket/6166 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a42b456b91cb345e977c6f0febf5c30f15a954d3 ipa-4-3: https://fedorahosted.org/freeipa/changeset/44401d26c29e35d38bc94a7a87b9f2dd205e0643 Verified. IPA Version: ============ [root@dhcp207-130 ~]# rpm -q ipa-server ipa-server-4.4.0-10.el7.x86_64 [root@dhcp207-130 ~]# Please find attached file for console output of verification steps. Created attachment 1199519 [details]
console output with verification steps
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |