Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1360813

Summary: ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: medium Docs Contact:
Priority: high    
Version: 7.2CC: apetrova, frenaud, ipa-maint, ipa-qe, jcholast, jreznik, nsoman, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.4.0-13.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1389348 (view as bug list) Environment:
Last Closed: 2017-08-01 09:39:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1389348    

Description Thorsten Scherf 2016-07-27 14:26:28 UTC 
Description of problem:

The tool ipa-server-certinstall can be used to install 3rd party certificates for the IPA embedded httpd and ldap service. 

The usage is outlined on this page (I already filed BZ #1360217 to get a proper description into our IdM guide):

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Here it says:

"""
The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate. 
"""

I recently encountered two issues when a PKCS#12 file is imported which has a new CA certificate chain included, which is not already known to IPA:

1) The certificate from the PKCS#12 file are imported into the NSS DB of the service for which the certificate is for (httpd and/or ldap) and the trust flag is properly set for the new service certificate, but trust flags for the CA certificates which are also part of the PKCS#12 file are not set at all. A manual change using certutil was required.  

2) While the CA certificates from the PKCS#12 file are imported into the NSS DB of the http and/or ldap service, they are not imported into the tomcat-pki NSS DB. As a result, tomcat fails to start when the ldap certificate has been replaces and when it's signed by a CA which is not known to IPA. I would expect that ipa-server-certinstall also updates this NSS DB. A manual import of the CA certificates fixed the issue.

I found an old ticket which talks about the same issue and which has been closed as FIXED, but I can still see the issues I outlined above in latest RHEL-7.2 ipa package:
 
https://fedorahosted.org/freeipa/ticket/3862


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.17

How reproducible:
Create a new CSR for IPA httpd and have it signed by a CA which is not known to IPA. Create a PKCS#12 file with the new certificate/key and add the full CA certificate chain to the PKCS#12 file. Then import the file using ipa-server-certinstall.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Petr Vobornik 2016-08-26 08:51:34 UTC 
The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug 1349024 Not sure if the root cause is the same for 7.2.

In IPA 4.4  ipa-server-certinstall received following fixes:
- https://fedorahosted.org/freeipa/ticket/4785
- https://fedorahosted.org/freeipa/ticket/4786
Comment 2 Petr Vobornik 2016-08-26 11:25:10 UTC 
The first part may be handled by first running `ipa-cacert-manage install` utility.

This bz should be used for extending `ipa-server-certinstall` to do just that.
Comment 4 Petr Vobornik 2016-08-26 11:34:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6263
Comment 5 Thorsten Scherf 2016-08-26 11:38:29 UTC 
>The first part may be handled by first running `ipa-cacert-manage install` >utility.

The documentation [1] suggests that the tool ipa-server-certinstall takes care abour importing CA certificates which are unknown to IPA as long as you provide the full certificate chain in a PKCS#12 file.

[1] https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

"""The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate."""

>The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug >1349024 Not sure if the root cause is the same for 7.2.

This is even a different problem where the SELinux policy prevents the renewal of the CA subsystem certs. The issue I reported in 2) is about the CA certificate (from the PKCS#12 file) import into the Tomcat NSS DB. I do not see how any of the patches you mentioned, will fix this issue.
Comment 11 Jan Cholasta 2016-09-19 05:56:01 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0c4a91348a57ee941db94b31f59952eb1fcd4565
Comment 18 Florence Blanc-Renaud 2016-11-16 07:30:22 UTC 
Hi Thorsten,
thanks for providing the procedure. I updated the upstream wiki with your instructions.
Comment 22 Michal Reznik 2017-05-17 14:04:24 UTC 
Verified on:

ipa-server-4.5.0-9.el7.x86_64
pki-ca-10.4.1-3.el7.noarch


1. Install ipa-server

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U

2. Try ipa-server-certinstall without known CA

[root@master ~]# ipa-server-certinstall -d -w server.p12
Directory Manager password: 

Enter private key unlock password: 

Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.

3. Install CA certificate

[root@master ~]# ipa-cacert-manage -p XXX -n ca1 -t C,, install ca1.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

[root@master ~]# kinit admin
Password for admin: 
[root@master ~]#

[root@master ~]# ipa-certupdate
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json'
Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


4. Install the certificates

[root@master ~]# ipa-server-certinstall -d -w server.p12
Directory Manager password: 

Enter private key unlock password: 

The ipa-server-certinstall command was successful


5. Restart the services

[root@master ~]# systemctl restart httpd.service
[root@master ~]# systemctl restart dirsrv
[root@master ~]# 


6. Check trust attributes

[root@master ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                              u,u,u
TESTRELM.TEST IPA CA                      CT,C,C

[root@master ~]# certutil -L -d /etc/dirsrv/slapd-TESTRELM-TEST/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                              u,u,u
TESTRELM.TEST IPA CA                      CT,C,C

[root@master ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
ca1                                                                            C,,  
Server-Cert cert-pki-ca                                            u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                      CTu,Cu,Cu

[root@master ~]# certutil -L -d /etc/ipa/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
TESTRELM.TEST IPA CA                                         CT,C,C
Comment 23 errata-xmlrpc 2017-08-01 09:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304