Bug 1491623

Summary: pk12util fails to import a pkcs#12 file that contains two certificates with identical nickname
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: nssAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dueno, ekeck, frenaud, gparente, hkario, kengert, pvoborni, rcritten, rrelyea, szidek, tmihinto, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.34.0-0.1.beta1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 09:46:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2017-09-14 09:47:17 UTC
Description of problem:

we have several customer facing this issue.

Florence has easily reproduced this by doing ipa-cacert-manage renew. that generates a new ca cert. So, two of then in the cert db.

While this is not an issue, ipa-replica-install fails with:


2017-09-10T17:41:14Z DEBUG args=/usr/bin/pk12util -d /tmp/tmp0FZbiN -k /tmp/tmp0FZbiN/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmp0FZbiN/pk12file -w /tmp/tmp0FZbiN/pk12pwfile
2017-09-10T17:41:14Z DEBUG Process finished, return code=19
2017-09-10T17:41:14Z DEBUG stdout=
2017-09-10T17:41:14Z DEBUG stderr=pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

2017-09-10T17:41:14Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute
    for _nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main
    replica_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1461, in install
    ca.install(False, config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install
    install_step_0(standalone, replica_config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 246, in install_step_0
    replica_config.dirman_password)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 208, in get_ca_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 185, in __get_keys
    '-w', pk12pwfile])
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))

2017-09-10T17:41:14Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/pk12util -d /tmp/tmp0FZbiN -k /tmp/tmp0FZbiN/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmp0FZbiN/pk12file -w /tmp/tmp0FZbiN/pk12pwfile' returned non-zero exit status 19
2017-09-10T17:41:14Z ERROR Command '/usr/bin/pk12util -d /tmp/tmp0FZbiN -k /tmp/tmp0FZbiN/pwdfile.txt -n caSigningCert cert-pki-ca -i /tmp/tmp0FZbiN/pk12file -w /tmp/tmp0FZbiN/pk12pwfile' returned non-zero exit status 19
2017-09-10T17:41:14Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information


Version-Release number of selected component (if applicable): 

ipa-server-4.5.0-21.el7_4.1.2.x86_64

How reproducible: always.




Steps to Reproduce:  thanks Florence !!

1.ipa-cacert-manage renew / ipa-certupdate in master
2. ipa-replica-install

Comment 3 Florence Blanc-Renaud 2017-09-14 16:50:20 UTC
It seems that ipa-cacert-manage renew sometimes leaves the NSSDB with the prev cert and the new cert obtained from renewal (not systematically reproduced).
For instance:
$ sudo certutil -L -d /etc/pki/pki-tomcat/alias 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu


Here 'caSigningCert cert-pki-ca' appears twice and that will cause an issue during replica install, when custodia retrieves the keys for this cert.

Not sure yet if it is a bug in certmonger (should it remove the old cert before adding the new one?) or a NSS issue.

On the replica side, when custodia tries to retrieve the cert and key, it performs 
pk12util -d /etc/pki/pki-tomcat/alias -o <pk12file> -n 'caSigningCert cert-pki-ca' -k /etc/pki/pki-tomcat/alias/pwdfile.txt -w <pk12pwfile>
on the master (ie take the cert from PKI nssdb and produce a pk12 file), and the custodia client receives the content from the pk12file and performs
pk12util -d <nssdb> -k <nssdbpwdile> -n 'caSigningCert cert-pki-ca' -i <pk12file> -w <pk12pwfile>
(ie extract the cert from pk12 file and put it in a temporary NSSDB).
The issue can be reproduced manually with pk12util commands. What is strange, is that running the client-side pk12util command twice succeeds.

$ sudo pk12util -d /tmp/nssdb/ -i /tmp/ca.p12 -n 'caSigningCert cert-pki-ca' 
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.
$ sudo pk12util -d /tmp/nssdb/ -i /tmp/ca.p12 -n 'caSigningCert cert-pki-ca' 
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL

So there may be an issue as well with pk12util.

Comment 26 errata-xmlrpc 2018-04-10 09:46:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679