Bug 1419735

Summary: ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted)
Product: Red Hat Enterprise Linux 7 Reporter: Amy Farley <afarley>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.3CC: afarley, gparente, ipa-qe, jcholast, molasaga, nsoman, pparsons, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.4.0-14.el7.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1429872 (view as bug list) Environment:
Last Closed: 2017-08-01 09:44:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1429872    

Comment 11 Petr Vobornik 2017-02-17 17:06:45 UTC 
Just public recap: we need to retest workflow:

1. install ipa-server as self-signed CA
2. issue CA cert signed by
   a) dogtag CA
   b) AD CA
3. use "Self-signed CA certificate → externally-signed CA certificate" method for both types (a and b) of CA cert.
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html

4. Run ipa-certupdate
5. Attempt to install replica

It fails in step "[3/5]: Importing RA Key" with: 


    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 97, in fetch_key
    params={'type': 'kem', 'value': request})
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)

2017-01-26T16:49:04Z DEBUG The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
2017-01-26T16:49:04Z ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)


Workflow where first IPA server is installed with --external-ca right away works for CA cert issued by DogTag CA. We need to retest and fix issuing with AD CA - bug 1322963 or upstream #5799
Comment 12 Petr Vobornik 2017-02-17 17:09:47 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6686
Comment 26 Jan Cholasta 2017-02-27 07:49:21 UTC 
master:
https://fedorahosted.org/freeipa/changeset/16dac0252e52c8de07fd8a6a86ec0896074cbe9d
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/f784e33b1e2630aaa2e433da904cbb241d76e502
Comment 34 Michal Reznik 2017-05-18 09:20:36 UTC 
Verified on:

ipa-server-4.5.0-9.el7.x86_64

Steps as per BZ 1429872 comment #6.

1. Install CA-less ipa-server

root@master ~]# ipa-server-install --ip-address $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit

<snip>
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
 1. You must make sure these network ports are open:
  TCP Ports:
    * 80, 443: HTTP/HTTPS
    * 389, 636: LDAP/LDAPS
    * 88, 464: kerberos
    * 53: bind
  UDP Ports:
    * 88, 464: kerberos
    * 53: bind
    * 123: ntp

 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
[root@master ~]# 

2. Install CA-less replica

[root@replica1 ~]# ipa-client-install -U --domain testrelm.test --realm TESTRELM.TEST -p admin -w XXX --server master.testrelm.test
[root@replica1 ~]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12 --http-cert-file=./replica.p12 --dirsrv-pin XXX --http-pin XXX -P admin -w XXX --no-pkinit

<snip>
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
  [1/20]: stopping httpd
  [2/20]: setting mod_nss port to 443
  [3/20]: setting mod_nss cipher suite
  [4/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/20]: setting mod_nss password file
  [6/20]: enabling mod_nss renegotiate
  [7/20]: adding URL rewriting rules
  [8/20]: configuring httpd
  [9/20]: setting up httpd keytab
  [10/20]: configuring Gssproxy
  [11/20]: setting up ssl
  [12/20]: importing CA certificates from LDAP
  [13/20]: publish CA cert
  [14/20]: clean up any existing httpd ccaches
  [15/20]: configuring SELinux for httpd
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: starting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the KDC
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning

3. Check ipactl status

[root@master ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@replica1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Comment 35 errata-xmlrpc 2017-08-01 09:44:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304