Bug 1663112

Summary: ipa-getcert crashes in ipa-submit
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: mharmsen, nalin, rcritten
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-04 06:48:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2019-01-03 08:25:49 UTC 
Description of problem: Retrieving an IPA certificate stopped working and now causes a crash in ipa-submit.

Version-Release number of selected component (if applicable):

certmonger-0.79.6-3.fc29.i686
freeipa-client-4.7.2-1.fc29.i686

How reproducible: Always


Steps to Reproduce:
1. Join an existing FreeIPA domain
2. Create a new service name:
   ipa service-add --ok-as-delegate=true --force HTTP/$(hostname -f)@COCKPIT.LAN
3. Try to get a certificate for it:
   ipa-getcert request -f /run/cockpit/ipa.crt -k /run/cockpit/ipa.key -K HTTP/$(hostname -f) -w -v

Actual results:

ipa-getcert fails:

New signing request "20190103081316" added.
State NEWLY_ADDED_READING_KEYINFO, stuck: no.
State SUBMITTING, stuck: no.
State NEED_GUIDANCE, stuck: yes.

Status:

# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20190103081316':
	status: NEED_GUIDANCE
	stuck: yes
	key pair storage: type=FILE,location='/run/cockpit/ipa.key'
	certificate: type=FILE,location='/run/cockpit/ipa.crt'
	CA: IPA
	issuer: 
	subject: 
	expires: unknown
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Journal:

audit: type=1400 audit(1546503632.923:4273): avc:  denied  { execute } for  pid=12626 comm="certmonger" path=2F72756E2F636572746D6F6E6765722F6666696F6477476D50202864656C6574656429 dev="tmpfs" ino=133042 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:certmonger_var_run_t:s0 tclass=file permissive=1
AVC avc:  denied  { execute } for  pid=12626 comm="certmonger" path=2F72756E2F636572746D6F6E6765722F6666696F6477476D50202864656C6574656429 dev="tmpfs" ino=133042 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:certmonger_var_run_t:s0 tclass=file permissive=1
SYSCALL arch=40000003 syscall=192 success=yes exit=-1208791040 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2479 pid=12626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
audit: type=1300 audit(1546503632.923:4273): arch=40000003 syscall=192 success=yes exit=-1208791040 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2479 pid=12626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
PROCTITLE proctitle=2F7573722F7362696E2F636572746D6F6E676572002D53002D70002F7661722F72756E2F636572746D6F6E6765722E706964002D6E
audit: type=1327 audit(1546503632.923:4273): proctitle=2F7573722F7362696E2F636572746D6F6E676572002D53002D70002F7661722F72756E2F636572746D6F6E6765722E706964002D6E
ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:certmonger_t:s0 pid=12627 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" sig=6 res=1
audit: type=1701 audit(1546503633.013:4274): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:certmonger_t:s0 pid=12627 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" sig=6 res=1
Started Process Core Dump (PID 12629/UID 0).
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@5-12629-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1546503633.041:4275): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@5-12629-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Process 12627 (ipa-submit) of user 0 dumped core.

Stack trace of thread 12627:
#0  0x00000000b7f59d21 __kernel_vsyscall (linux-gate.so.1)
#1  0x00000000b7901b46 raise (libc.so.6)
#2  0x00000000b78eb374 abort (libc.so.6)
#3  0x00000000b78eb27b __assert_fail_base.cold.0 (libc.so.6)
#4  0x00000000b78f98df __assert_fail (libc.so.6)
#5  0x00000000b7de92ea n/a (libkrb5.so.3)
#6  0x00000000b7de9dab n/a (libkrb5.so.3)
#7  0x00000000b7df3237 n/a (libkrb5.so.3)
#8  0x00000000b7deac1a krb5_cccol_have_content (libkrb5.so.3)
#9  0x00000000b742eee3 n/a (libgssapi_krb5.so.2)
#10 0x00000000b742f201 n/a (libgssapi_krb5.so.2)
#11 0x00000000b74327ea n/a (libgssapi_krb5.so.2)
#12 0x00000000b7437f91 n/a (libgssapi_krb5.so.2)
#13 0x00000000b7438970 n/a (libgssapi_krb5.so.2)
#14 0x00000000b7421576 gss_init_sec_context (libgssapi_krb5.so.2)
#15 0x00000000b7449dbe n/a (libgssapi_krb5.so.2)
#16 0x00000000b744a45d n/a (libgssapi_krb5.so.2)
#17 0x00000000b7421576 gss_init_sec_context (libgssapi_krb5.so.2)
#18 0x00000000b7882d6e n/a (libcurl.so.4)
#19 0x00000000b7896993 n/a (libcurl.so.4)
#20 0x00000000b786e506 n/a (libcurl.so.4)
#21 0x00000000b7848193 n/a (libcurl.so.4)
#22 0x00000000b784c5bb n/a (libcurl.so.4)
#23 0x00000000b7860476 n/a (libcurl.so.4)
#24 0x00000000b786ad70 n/a (libcurl.so.4)
#25 0x00000000b786bff9 curl_multi_perform (libcurl.so.4)
#26 0x00000000b7f3ee5d curlMulti_perform (libxmlrpc_client.so.3)
#27 0x00000000b7f3c9f3 finishCurlMulti (libxmlrpc_client.so.3)
#28 0x00000000b7f3d186 call (libxmlrpc_client.so.3)
#29 0x00000000b7f3a0b1 xmlrpc_client_call2 (libxmlrpc_client.so.3)
#30 0x000000000040f622 n/a (ipa-submit)
#31 0x000000000040c1a1 n/a (ipa-submit)
#32 0x000000000040b360 n/a (ipa-submit)
#33 0x00000000b78ecc09 __libc_start_main (libc.so.6)
#34 0x000000000040bc70 n/a (ipa-submit)

SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@5-12629-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1131 audit(1546503633.364:4276): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@5-12629-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


Expected results: Certificate creation succeeds


Additional info: There are tons of SELinux denials in that process, tracked by e. g. bug 1624930. But this is a new issue -- before doing this, I explicitly disabled SELinux with "setenforce 0", which can be seen by the "permissive=1" parts in the journal.
Comment 1 Martin Pitt 2019-01-03 08:30:47 UTC 
FTR, this is not specific to i686, this regression happens on x86_64 as well (https://github.com/cockpit-project/cockpit/pull/10894). I just happened to investigate it on i686.
Comment 2 Rob Crittenden 2019-01-03 13:05:18 UTC 
I suspect this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1622760

Please try the updated krb5 rpms in https://bodhi.fedoraproject.org/updates/FEDORA-2018-dc944aaa79
Comment 3 Martin Pitt 2019-01-04 06:48:37 UTC 
Confirmed, with that krb5 version it works again. Thanks!

*** This bug has been marked as a duplicate of bug 1622760 ***