Bug 1444896

Summary: ipa-server-install with external-ca fails in FIPS mode
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Abhijeet Kasurde <akasurde>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: kengert, ksiddiqu, mbasti, nsoman, pvoborni, rcritten, slaznick, tkrizek, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:50:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
external_ca.sh
none
nssdb.tar.gz
none
ipa-server-install.log
none
verification_console.log none

Description Abhijeet Kasurde 2017-04-24 13:58:17 UTC 
Created attachment 1273618 [details]
external_ca.sh

Description of problem:
IPA server installation fails with following error:

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    CA certificate CN=PRIMARY,O=TESTRELM.TEST in /root/nssdb/chain.crt is not valid: (SEC_ERROR_BAD_SIGNATURE) Peer's certificate has an invalid signature.
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


Version-Release number of selected component (if applicable):
# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.0-7.el7.x86_64
ipa-client-4.5.0-7.el7.x86_64
389-ds-base-1.3.6.1-9.el7.x86_64
pki-ca-10.4.1-2.el7.noarch
krb5-server-1.15.1-7.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Run attached script

Actual results:
Installation fails with above error

Expected results:
Same script works fine in non-FIPS mode. Installation is non-FIPS mode with external-ca is successful.
Comment 3 Standa Laznicka 2017-04-25 08:14:57 UTC 
Seems to me like a bug in my script you shared here, perhaps the CA cert creation and signing is missing some undocumented arguments for FIPS mode. It could also be a bug in NSS since verification of such created certificate signatures does not fail in non-FIPS environent.

Either above mentioned way, changing the component from "ipa" to "nss".
Comment 4 Kai Engert (:kaie) (inactive account) 2017-04-25 11:37:33 UTC 
Please attach the involved certificates, so we can have a look, without reproducing your environment.
Comment 5 Abhijeet Kasurde 2017-04-25 11:54:51 UTC 
Please find the attachment for certificates created in temp directory by given script.
Comment 6 Abhijeet Kasurde 2017-04-25 11:58:08 UTC 
Created attachment 1273884 [details]
nssdb.tar.gz
Comment 7 Kai Engert (:kaie) (inactive account) 2017-04-25 12:29:32 UTC 
On first look, I don't see an issue with this certificate. 2048 bit RSA key, signature uses sha256, has basic-constraints extension.

I assume you are running on a system that has FIPS enabled system-wide, correct?

Please clarify: Is this a regression with new a package version, or, are you trying this for the first time? (If regression, please mention the package versions that are working.)
Comment 8 Abhijeet Kasurde 2017-04-25 12:42:31 UTC 
(In reply to Kai Engert (:kaie) from comment #7)
> On first look, I don't see an issue with this certificate. 2048 bit RSA key,
> signature uses sha256, has basic-constraints extension.
> 
> I assume you are running on a system that has FIPS enabled system-wide,
> correct?
> 
Yes. Machine is FIPS enabled. 

# cat /proc/sys/crypto/fips_enabled
1

> Please clarify: Is this a regression with new a package version, or, are you
> trying this for the first time? (If regression, please mention the package
> versions that are working.)

I am trying this for the first time. Is there any specific flags or options required to create certificate using certutil in FIPS mode ?
Comment 9 Standa Laznicka 2017-04-25 12:46:33 UTC 
@kai: We're doing this for the first time, it's a part of a RHEL 7.4 feature: https://bugzilla.redhat.com/show_bug.cgi?id=1125174
Comment 10 Kai Engert (:kaie) (inactive account) 2017-04-25 13:09:02 UTC 
If you want to speed up analysis, can you find out the exact failing command, including parameters, that is being executed as part of the script?
Comment 11 Standa Laznicka 2017-04-25 13:41:54 UTC 
The failure happens in the following code:
"""
intended_usage = nss.certificateUsageSSLCA
try:
    approved_usage = cert.verify_now(certdb, True, intended_usage)
"""
where cert is nss.Certificate representing the CA cert that's signing the sub-CA cert.

This is of course python-nss code but given that that won't probably change FIPS/non-FIPS, it's more probable that the failure will happen in the actual nss library.
Comment 14 Kai Engert (:kaie) (inactive account) 2017-04-25 14:42:34 UTC 
You don't login. You must ensure that you provide the database password and that PK11_Authenticate() succeeds.
Comment 15 Standa Laznicka 2017-04-26 06:31:43 UTC 
Although I am changing the component back to IPA, you should fix this too since the way you handle errors will open cases against you over and over again and that's just a waste of both sides' time.
Comment 16 Standa Laznicka 2017-04-26 06:33:54 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6897
Comment 17 Martin Bašti 2017-04-28 12:12:01 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/651d132b701b773b2bbeb41496d6c5ddbf6d19b3
Comment 19 Abhijeet Kasurde 2017-05-03 08:35:39 UTC 
Failed to verify bz as following error occurred while installing IPA server with externally signed certificates 


  [19/21]: starting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


# rpm -qa ipa-server ipa-client 389-ds-base pki-ca krb5-server
pki-ca-10.4.1-2.el7.noarch
389-ds-base-1.3.6.1-9.el7.x86_64
ipa-client-4.5.0-9.el7.x86_64
ipa-server-4.5.0-9.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
# cat /proc/sys/crypto/fips_enabled
1

See attachment for ipa-server-install.log
Comment 20 Abhijeet Kasurde 2017-05-03 08:37:50 UTC 
Created attachment 1275848 [details]
ipa-server-install.log
Comment 21 Standa Laznicka 2017-05-03 08:41:44 UTC 
This was caused by PKINIT fixes applied over fixes in this BZ, adding our tracker.
Comment 22 Tomas Krizek 2017-05-03 14:31:21 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/8107125e177ac9f378d149d7b0fa1d3774c9be3a
master:
https://pagure.io/freeipa/c/a24923066dd95a88ded329f1a558d46fbb9d8f81
Comment 24 Abhijeet Kasurde 2017-05-04 09:40:17 UTC 
Verified using IPA version:: ipa-server-4.5.0-10.el7.x86_64

Marking BZ as verified. See attachment for console.log.
Comment 25 Abhijeet Kasurde 2017-05-04 09:41:29 UTC 
Created attachment 1276208 [details]
verification_console.log
Comment 26 errata-xmlrpc 2017-08-01 09:50:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304