Bug 1462112

Summary: ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: enewland, ksiddiqu, pvoborni, pvomacka, rcritten, sbose, slaznick, sumenon, tbordaz, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-19.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:51:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
pki-ca-spawn
none
ipa-server-install log
none
ipa-client-install log
none
dirsrv journalctl logs
none
pki-ca logs
none
dirsrv error logs
none
Install Log none

Description Sudhir Menon 2017-06-16 08:30:32 UTC 
Description of problem: With FIPS mode enabled ipa-server install command failed with RuntimeError: CA configuration failed

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-18.el7.x86_64
sssd-1.15.2-47.el7.x86_64
389-ds-base-1.3.6.1-16.el7.x86_64
pki-server-10.4.1-9.el7.noarch
pki-ca-10.4.1-9.el7.noarch
selinux-policy-3.13.1-162.el7.noarch
samba-4.6.2-6.el7.x86_64
custodia-0.3.1-3.el7.noarch

How reproducible: Always


Steps to Reproduce:
1. Setup FIPS on RHEL7.4 using the below steps

# cat /etc/sysconfig/prelink | grep PRELINKING  i.e PRELINKING=no
# prelink -u -a
# yum install -y dracut-fips
# dracut -f
# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1        1038336 194432    843904  19% /boot

# blkid /dev/sda1
/dev/sda1: UUID="a7c8839b-ee02-4a56-a667-c271bcf3c15e" TYPE="xfs" 
# vi /etc/default/grub

GRUB_CMDLINE_LINUX="fips=1 boot=UUID=a7c8839b-ee02-4a56-a667-c271bcf3c15e crashkernel=auto rd.lvm.lv=rhel_auto-hv-02-guest02/root rd.lvm.lv=rhel_auto-hv-02-guest02/swap console=ttyS0,115200"

#. grub2-mkconfig -o /boot/grub2/grub.cfg
#. reboot
#.  sysctl -a | grep fips_enabled
crypto.fips_enabled = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens3.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"

2. IPA server is installed with multiple --ip-address, --no-pkinit, --setup-adtrust options

#ipa-server-install -p **** -a ***** --ip-address=<ip-address1> --ip-address=<ip-address2> -n TEST.QE -r TEST.QE --hostname=authohv02.testqe.test --setup-dns --setup-adtrust --no-pkinit --no-reverse --forwarder=<ip-address> --no-dnssec-validation --netbios-name=TEST -v  -U

Actual results: IPA server install fails with the below error

Installation failed: server failed to restart
2017-06-16T06:43:27Z DEBUG stderr=pkispawn    : ERROR    ....... server failed to restart
2017-06-16T06:43:27Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpIBBIdH' returned non-zero exit status 1
2017-06-16T06:43:27Z CRITICAL See the installation logs and the following files/directories for more information:
2017-06-16T06:43:27Z CRITICAL   /var/log/pki/pki-tomcat
2017-06-16T06:43:27Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step   method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-06-16T06:43:27Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-06-16T06:43:27Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute  for _nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner  exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception  six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
 exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 578, in main
master_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 802, in install
ca.install_step_0(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance
self.tmp_agent_pwd) 
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2017-06-16T06:43:27Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2017-06-16T06:43:27Z ERROR CA configuration failed.

Expected results: IPA server install should work without any error.

Additional info: Attaching console logs.
Comment 3 Sudhir Menon 2017-06-16 09:12:31 UTC 
Created attachment 1288286 [details]
pki-ca-spawn
Comment 4 Standa Laznicka 2017-06-16 09:28:40 UTC 
Please provide journal log for pki-tomcatd. This seems more like a pki-base bug, btw.
Comment 6 Sudhir Menon 2017-06-16 12:16:20 UTC 
Created attachment 1288349 [details]
ipa-server-install log
Comment 7 Sudhir Menon 2017-06-16 12:17:28 UTC 
Created attachment 1288352 [details]
ipa-client-install log
Comment 8 Sudhir Menon 2017-06-16 12:18:19 UTC 
Created attachment 1288353 [details]
dirsrv journalctl logs
Comment 9 Sudhir Menon 2017-06-16 12:19:32 UTC 
Created attachment 1288354 [details]
pki-ca logs
Comment 10 Sudhir Menon 2017-06-16 12:20:51 UTC 
Created attachment 1288355 [details]
dirsrv error logs
Comment 11 Standa Laznicka 2017-06-16 13:31:57 UTC 
Since the original bug was not reproducible and the nature of it is actually different, I am moving this back to IPA.

The cause of this bug is the use of MD4 in some C code which handles trusts.
Comment 13 thierry bordaz 2017-06-19 12:59:10 UTC 
Looking at https://bugzilla.redhat.com/attachment.cgi?id=1288353, it is looking like ns-slapd aborts.
Do you know if a core was dumped ?
Comment 14 Petr Vobornik 2017-06-20 08:22:19 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7026
Comment 18 Pavel Vomacka 2017-06-21 08:19:50 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/f169481b558bd7ec9102e02e40eb38df7867a694
https://pagure.io/freeipa/c/1f0ca6aafd966e086692007a0df76e3c3276915f
ipa-4-5:
https://pagure.io/freeipa/c/b63b6790efc82c87398c39ba4f55330756b7b3cf
https://pagure.io/freeipa/c/79a5f3bf321f15e4c120d16b8988ed0cdb0ae64
Comment 20 Sudhir Menon 2017-06-22 10:41:46 UTC 
Fix is seen. Verified on RHEL7.4 using 

ipa-server-4.5.0-19.el7.x86_64
389-ds-base-1.3.6.1-16.el7.x86_64
pki-server-10.4.1-10.el7.noarch
pki-ca-10.4.1-10.el7.noarch
selinux-policy-3.13.1-162.el7.noarch
custodia-0.3.1-4.el7.noarch


Attaching the install log for reference.
Comment 21 Sudhir Menon 2017-06-22 10:53:34 UTC 
Created attachment 1290647 [details]
Install Log
Comment 22 errata-xmlrpc 2017-08-01 09:51:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304