Bug 1560961

Summary: Can't log in to the director UI with Firefox [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: apannu, beth.white, dtrainor, hrybacki, jjoyce, josorior, jrist, jschluet, ksiddiqu, lmanasko, nalin, ndehadra, pvoborni, rcritten, salmy, slinaber, tvignaud, ukalifon
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.78.4-3.el7.1 Doc Type: Bug Fix
Doc Text:
Previously, the automatically generated local certificate authority (CA) used improper DER-encoding for the CA Basic Constraint boolean. As a consequence, the certificate was in some cases rejected as invalid. With this update, the local CA uses proper DER-encoding boolean and the described problem no longer occurs.
 Story Points: ---
Clone Of: 1551635 Environment:
Last Closed: 2018-05-14 16:10:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1551635    
Bug Blocks: 1559121    

Description Oneata Mircea Teodor 2018-03-27 11:17:15 UTC 
This bug has been copied from bug #1551635 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 5 Nikhil Dehadrai 2018-04-11 08:13:11 UTC 
Hi Rob, 

Could you suggest the steps in verifying this bug?

Thanks
Comment 6 Rob Crittenden 2018-04-11 12:19:09 UTC 
Steps are in the parent bug, https://bugzilla.redhat.com/show_bug.cgi?id=1551635
Comment 9 Nikhil Dehadrai 2018-04-17 04:48:52 UTC 
Certmonger version: certmonger-0.78.4-3.el7_5.1.x86_64

Verified the bug on the basis of following observations:
1. Setup RHEL 7.5.update1 system.
2. Check for certmonger package version (in my case certmonger-0.78.4-3.el7_5.1.x86_64)
3. Pull the CA certificate out of the PKCS#12 file with:

# ls -l /var/lib/certmonger/local/creds (checking if file exists)

# openssl pkcs12 -in /var/lib/certmonger/local/creds -out /tmp/ca.pem -nokeys -nodes -passin pass:''

4. Edit the file /tmp/ca.pem created in above step to drop the prefix before -----BEGIN CERTIFICATE----- to avoid an offset error.

# openssl asn1parse -in /tmp/ca.pem -inform pem

5. Noticed the HEX dump as below:
  
  543:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  548:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  551:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF

6. Confirm that it works with Firefox generate a certificate using certmonger:

# getcert request -c local -f /etc/pki/tls/certs/local.crt -k /etc/pki/tls/private/local.key -U id-kp-clientAuth -U id-kp-serverAuth -u digitalSignature -u nonRepudiation -u keyEncipherment -u dataEncipherment

7. Install httpd and mod_ssl ( yum -y httpd mod_ssl)

Configure mod_ssl to use this certificate:

# vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/local.crt
SSLCertificateKeyFile /etc/pki/tls/private/local.key

Add the CA to the global trust:

# cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
# update-ca-trust 

8. Restart httpd, systemctl restart httpd

9. Launch firefox ( in my case Firefox version 57.0) and hit the host on port 443.

URL : https://<IP_addr>

In my case , it Returned with apache page upon accepting certificate.

Thus on the basis of above observations and comment#8, marking the status of bug to "VERIFIED".
Comment 12 errata-xmlrpc 2018-05-14 16:10:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1381