Bug 1360813
| Summary: | ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Michal Reznik <mreznik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.2 | CC: | apetrova, frenaud, ipa-maint, ipa-qe, jcholast, jreznik, nsoman, pvoborni, rcritten, tscherf | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.4.0-13.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1389348 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 09:39:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1389348 | |||
|
Description
Thorsten Scherf
2016-07-27 14:26:28 UTC
The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug 1349024 Not sure if the root cause is the same for 7.2. In IPA 4.4 ipa-server-certinstall received following fixes: - https://fedorahosted.org/freeipa/ticket/4785 - https://fedorahosted.org/freeipa/ticket/4786 The first part may be handled by first running `ipa-cacert-manage install` utility. This bz should be used for extending `ipa-server-certinstall` to do just that. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6263 >The first part may be handled by first running `ipa-cacert-manage install` >utility. The documentation [1] suggests that the tool ipa-server-certinstall takes care abour importing CA certificates which are unknown to IPA as long as you provide the full certificate chain in a PKCS#12 file. [1] https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP """The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate.""" >The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug >1349024 Not sure if the root cause is the same for 7.2. This is even a different problem where the SELinux policy prevents the renewal of the CA subsystem certs. The issue I reported in 2) is about the CA certificate (from the PKCS#12 file) import into the Tomcat NSS DB. I do not see how any of the patches you mentioned, will fix this issue. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0c4a91348a57ee941db94b31f59952eb1fcd4565 Hi Thorsten, thanks for providing the procedure. I updated the upstream wiki with your instructions. Verified on: ipa-server-4.5.0-9.el7.x86_64 pki-ca-10.4.1-3.el7.noarch 1. Install ipa-server [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U 2. Try ipa-server-certinstall without known CA [root@master ~]# ipa-server-certinstall -d -w server.p12 Directory Manager password: Enter private key unlock password: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed. 3. Install CA certificate [root@master ~]# ipa-cacert-manage -p XXX -n ca1 -t C,, install ca1.pem Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful [root@master ~]# kinit admin Password for admin: [root@master ~]# [root@master ~]# ipa-certupdate trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/json Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful 4. Install the certificates [root@master ~]# ipa-server-certinstall -d -w server.p12 Directory Manager password: Enter private key unlock password: The ipa-server-certinstall command was successful 5. Restart the services [root@master ~]# systemctl restart httpd.service [root@master ~]# systemctl restart dirsrv [root@master ~]# 6. Check trust attributes [root@master ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, ca1/server u,u,u TESTRELM.TEST IPA CA CT,C,C [root@master ~]# certutil -L -d /etc/dirsrv/slapd-TESTRELM-TEST/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, ca1/server u,u,u TESTRELM.TEST IPA CA CT,C,C [root@master ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ca1 C,, Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@master ~]# certutil -L -d /etc/ipa/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, TESTRELM.TEST IPA CA CT,C,C Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |