Bug 1427897
| Summary: | different behavior regarding system wide certs in master and replica. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | German Parente <gparente> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Reznik <mreznik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | apeddire, dpinkert, ksiddiqu, michael, michael.ward, mreznik, pvoborni, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:44:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
German Parente
2017-03-01 13:25:34 UTC
I can confirm that this is impacting us also. chmod 644 fixes it, but I'm not sure those are the appropriate permissions for that file.... Upstream ticket: https://pagure.io/freeipa/issue/6132 Ticket 6132 fixed upstream f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 httpinstance: disable system trust module in /etc/httpd/alias *** Bug 1448697 has been marked as a duplicate of this bug. *** Verified on:
ipa-server-4.5.0-9.el7.x86_64
mod_nss-1.0.14-8.el7.x86_64
[root@master ~]# getenforce
Enforcing
[root@replica1 ~]# getenforce
Enforcing
1. Install ipa-server
[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U
<snip>
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@master ~]#
2. Check rights of ipa.p11-kit
[root@master ~]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3541 May 29 10:36 /etc/pki/ca-trust/source/ipa.p11-kit
3. Change rights to 600
[root@master ~]# chmod 600 /etc/pki/ca-trust/source/ipa.p11-kit
[root@master ~]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-------. 1 root root 3541 May 29 10:36 /etc/pki/ca-trust/source/ipa.p11-kit
4. Restart httpd
[root@master ~]# systemctl restart httpd
[root@master ~]#
5. Check if system trust is disabled
[root@master ~]# modutil -dbdir /etc/httpd/alias -list "Root Certs"
-----------------------------------------------------------
Name: Root Certs
Library file: /etc/httpd/alias/libnssckbi.so
Manufacturer: PKCS#11 Kit
Description: PKCS#11 Kit Trust Module
PKCS #11 Version 2.40
Library Version: 0.23
Cipher Enable Flags: None
Default Mechanism Flags: None
Slot: /etc/pki/ca-trust/source
Slot Mechanism Flags: None
Manufacturer: PKCS#11 Kit
Type: Software
Version Number: 0.23
Firmware Version: 0.0
Status: DISABLED (user disabled)
Token Name: System Trust
Token Manufacturer: PKCS#11 Kit
Token Model: p11-kit-trust
Token Serial Number: 1
Token Version: 0.23
Token Firmware Version: 0.0
Access: NOT Write Protected
Login Type: Public (no login required)
User Pin: NOT Initialized
Slot: /usr/share/pki/ca-trust-source
Slot Mechanism Flags: None
Manufacturer: PKCS#11 Kit
Type: Software
Version Number: 0.23
Firmware Version: 0.0
Status: DISABLED (user disabled)
Token Name: Default Trust
Token Manufacturer: PKCS#11 Kit
Token Model: p11-kit-trust
Token Serial Number: 1
Token Version: 0.23
Token Firmware Version: 0.0
Access: NOT Write Protected
Login Type: Public (no login required)
User Pin: NOT Initialized
-----------------------------------------------------------
6. The same on replica
[root@replica1 ~]# ipa-replica-install -U -P admin -w XXX --server master.testrelm.test -n testrelm.test
<snip>
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the KDC
[root@replica1 ~]#
[root@replica1 tmp]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3541 May 29 11:06 /etc/pki/ca-trust/source/ipa.p11-kit
[root@replica1 tmp]# chmod 600 /etc/pki/ca-trust/source/ipa.p11-kit
[root@replica1 tmp]#
[root@replica1 tmp]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-------. 1 root root 3541 May 29 11:06 /etc/pki/ca-trust/source/ipa.p11-kit
[root@replica1 tmp]#
[root@replica1 tmp]# systemctl restart httpd
[root@replica1 tmp]#
[root@replica1 tmp]# modutil -dbdir /etc/httpd/alias -list "Root Certs"
-----------------------------------------------------------
Name: Root Certs
Library file: /etc/httpd/alias/libnssckbi.so
Manufacturer: PKCS#11 Kit
Description: PKCS#11 Kit Trust Module
PKCS #11 Version 2.40
Library Version: 0.23
Cipher Enable Flags: None
Default Mechanism Flags: None
Slot: /etc/pki/ca-trust/source
Slot Mechanism Flags: None
Manufacturer: PKCS#11 Kit
Type: Software
Version Number: 0.23
Firmware Version: 0.0
Status: DISABLED (user disabled)
Token Name: System Trust
Token Manufacturer: PKCS#11 Kit
Token Model: p11-kit-trust
Token Serial Number: 1
Token Version: 0.23
Token Firmware Version: 0.0
Access: NOT Write Protected
Login Type: Public (no login required)
User Pin: NOT Initialized
Slot: /usr/share/pki/ca-trust-source
Slot Mechanism Flags: None
Manufacturer: PKCS#11 Kit
Type: Software
Version Number: 0.23
Firmware Version: 0.0
Status: DISABLED (user disabled)
Token Name: Default Trust
Token Manufacturer: PKCS#11 Kit
Token Model: p11-kit-trust
Token Serial Number: 1
Token Version: 0.23
Token Firmware Version: 0.0
Access: NOT Write Protected
Login Type: Public (no login required)
User Pin: NOT Initialized
-----------------------------------------------------------
*** Bug 1458453 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |