Bug 1567910

Summary: IPA install with external-CA is failing when FIPS mode enabled.
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: edewata, ftweedal, ksiddiqu, mharmsen, msauton, myusuf, ndehadra, pvoborni, rcritten, slaznick, tscherf
Target Milestone: rcKeywords: Regression, TestCaseProvided, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of:
: 1572548 (view as bug list) Environment:
Last Closed: 2018-10-30 11:07:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1572548    

Description Mohammad Rizwan 2018-04-16 12:20:12 UTC 
Description of problem:
IPA server install failing with external-ca when FIPS mode enabled in 7.5.1. It was passing in 7.5.

Version-Release number of selected component (if applicable):
ipa-server-4.5.4-10.el7_5.1.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipa with --external-ca option
2. sign the csr using external-ca
3. Proceed to install ipa-server with external-cert signed in step2

Actual results:
ipa install fail due to:
exception: RuntimeError: CA configuration failed.

Expected results:
ipa install success

Additional info:
Comment 6 Standa Laznicka 2018-04-17 12:05:53 UTC 
Endi, Fraser,

In the pkispawn log I am seeing the following:

"""
2018-04-16 06:41:38 pkispawn    : INFO     ....... validating signing certificate
2018-04-16 06:41:39 pkispawn    : DEBUG    ....... Error Type: CalledProcessError
2018-04-16 06:41:39 pkispawn    : DEBUG    ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'pki-tomcat', 'ca', 'signing']' returned non-zero exit status 1
2018-04-16 06:41:39 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 533, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1060, in spawn
    self.validate_system_certs(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 798, in validate_system_certs
    self.validate_system_cert(deployer, nssdb, subsystem, 'signing')
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 793, in validate_system_cert
    subsystem.validate_system_cert(tag)
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 211, in validate_system_cert
    stderr=subprocess.STDOUT)
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
"""

It seems that the validation of the signing cert failed for some reason pkispawn keeps for himself. Did PKI in FIPS RHEL 7.5.1 add some harder requirements for these use cases?
Comment 7 Endi Sukma Dewata 2018-04-17 16:21:10 UTC 
Mohammad, could you run this command and provide the output? Thanks.

 $ pki-server subsystem-cert-validate -i pki-tomcat -v ca signing
Comment 8 Mohammad Rizwan 2018-04-18 06:23:23 UTC 
[root@master ~]# pki-server subsystem-cert-validate -i pki-tomcat -v ca signing
{'certusage': 'SSLCA', 'nickname': 'caSigningCert cert-pki-ca', 'request': 'MIICrzCCAZcCAQAwODEWMBQGA1UEChMNVEVTVFJFTE0uVEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGfFxEIOOR5iikEp8TU3BpLhb3/FmyFkq26Mp4lF/VNhAW+dsVnekPHxQLBzdgp114gu2TNJudwiWUkNUGd+eyGsyZJwqQwzOSH3RrOcp/kfd50Az+t8fq4+9cmg2H84FksI1y6o8JRVT4sPyo/aEVcpFarTtCoH+j2OFTQ3yjDFFZtcBzByJQvgNHqFDGwMXdvnHQ0kFYXoLSDOEopa0IGF4CSVsK9mgIA9xJa1FUeMHc3DR71JTqQyjuLI5wuboplgaPkzfx1KknKX6+/CiHxsTNCz8S4P5VubOx9OUOSUNjAHuPZ097V/hdyQH5a9AYayyWwU/ykRfEpDsL2uYQIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAXzP7UOiq1tlGIY3eW+j2IkkiZdNS9/+m8XgXIwMnJO2HjOt3j9RNJv7I6FdvmlCLtEK4tdBe+KgU8mGV9wjIMioRKJr4LNIHnrfFLEXMffLbteUJ0cXTlrUGgxmZqOq7AKOJTCJ2FFBlmr9CV8tTPSGE5mDNjBq0ZhXV0+ZymtuFmEUOfjdzHmdY5itrutaIju5M/3oO1KSiZeImMK9Im0MBp498q+CWwwfmCpnIFWxvHItciUL2Rpzu3tORUP0xJGPeVdjnG43XJzEydamhApHQ0jDbnnLSa/T/5oHCKzb+Kf2skyqMInzTNnLrlmVvyzNk1lXLmaEisjyTd4sxiQ==', 'not_before': 1523875293000.0, 'token': 'Internal Key Storage Token', 'not_after': 1531737693000.0, 'serial_number': 2906561457, 'issuer': u'CN=Test_CA', 'data': 'MIIDETCCAfmgAwIBAgIFAK0+m7EwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdF9DQTAeFw0xODA0MTYxMDQxMzNaFw0xODA3MTYxMDQxMzNaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnxcRCDjkeYopBKfE1NwaS4W9/xZshZKtujKeJRf1TYQFvnbFZ3pDx8UCwc3YKddeILtkzSbncIllJDVBnfnshrMmScKkMMzkh90aznKf5H3edAM/rfH6uPvXJoNh/OBZLCNcuqPCUVU+LD8qP2hFXKRWq07QqB/o9jhU0N8owxRWbXAcwciUL4DR6hQxsDF3b5x0NJBWF6C0gzhKKWtCBheAklbCvZoCAPcSWtRVHjB3Nw0e9SU6kMo7iyOcLm6KZYGj5M38dSpJyl+vvwoh8bEzQs/EuD+VbmzsfTlDklDYwB7j2dPe1f4XckB+WvQGGsslsFP8pEXxKQ7C9rmECAwEAAaNIMEYwEQYJYIZIAYb4QgEBBAQDAgAHMBMGA1UdDgQMBAouf0d9m8JqFnc5MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgLEMA0GCSqGSIb3DQEBCwUAA4IBAQAnn7zUpcCgcKqM5ik50ossHcFYIYFnwYQo9rwdykTnooogYlkY4jgJpps590eTTtN2uKpzDZPhwZo+uSUS0HDPzsaASG4idtEcEFDkrU40cSwl0Zr9uWjKbUm+v0SYgAt8szqSmlTpGf50ZcwgFQp0F2nOx6RdzoOdmH0WiRm+/NRiGXUSJXj5OaT0FmyWYxEiyMcIsX0tUaAz2MEVIlFuAEAjJ1RfhEOueRiYRrd5niUucaeqvHUu7wMO1pdy8fnObjdS2v31vdGw5j8js4TWh/V3V4104/M4jJJKRt5zdiG5QEk4POauuNICdOolfXayUn4xNhsINQAKj5ytSe1b', 'id': 'signing', 'subject': u'CN=Certificate Authority,O=TESTRELM.TEST'}
  Cert ID: signing
  Nickname: caSigningCert cert-pki-ca
  Usage: SSLCA
  Token: Internal Key Storage Token
Command: pki -d /var/lib/pki/pki-tomcat/alias --token Internal Key Storage Token -C /tmp/tmpfvldwj client-cert-validate Internal Key Storage Token:caSigningCert cert-pki-ca --certusage SSLCA
  Status: ERROR: ObjectNotFoundException: Certificate not found: Internal Key Storage Token:caSigningCert cert-pki-ca

-----------------
Validation failed
-----------------
Comment 11 Endi Sukma Dewata 2018-04-23 19:09:03 UTC 
I'm not aware of specific FIPS requirements imposed by PKI, but I'm not the expert in that area. Usually such requirements are imposed by NSS.
Comment 13 Endi Sukma Dewata 2018-04-24 01:59:50 UTC 
Apparently it's caused by token name normalization problem in PKI.
I opened this upstream ticket: https://pagure.io/dogtagpki/issue/2997
Comment 14 Matthew Harmsen 2018-04-25 00:17:38 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage: 10.5.z
Comment 18 Endi Sukma Dewata 2018-04-26 18:37:27 UTC 
Fixed in master branch (i.e. PKI 10.6):
* https://github.com/dogtagpki/pki/commit/76912e2e68fddd978be20cb92b9c76099b8bc065
* https://github.com/dogtagpki/pki/commit/a8e7f8c80f4f6630f78990f81e4d1a06cd7f45fc
Comment 19 Endi Sukma Dewata 2018-04-26 18:45:02 UTC 
The fix can be verified with the procedure provided in the original bug description, either with IPA or without IPA.
Comment 22 Nikhil Dehadrai 2018-07-20 11:32:26 UTC 
IPA-server Version: ipa-server-4.6.4-2.el7.x86_64

Verified the bug on teh basis of following points:
1. Verified that IAP-server installation for EXTERNAL-CA is Successful in FIPS mode.
2. Verified that IPA-server installation is successful in FIPS mode.
3. Verified that IPA-Server installation for EXTERNAL-CA is successful in non-FIPS mode.

Thus on the basis of above observation, marking the status of bug to 'VERIFIED'.
Comment 25 errata-xmlrpc 2018-10-30 11:07:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195