Bug 1777611

Summary: sanity check the environment for proxy configuration so that proxy configuration does not cause installation to fail.
Product: Red Hat Enterprise Linux 8 Reporter: Glen Babiano <gbabiano>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: fcami, pasik, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Glen Babiano 2019-11-28 00:32:20 UTC 
Description of problem:
IHAC, who wants to raise an RFE to improve error messages to make it easier to pinpoint the issue for anyone who will be in the same situation in the future. Here's the customer's observation and recommendation:
-----
So, I went digging thru source code to see what is IPA trying to do - at that stage it wanted to establish https connection towards Master using python-request module. It occurred to me, that system have http&https proxy configured in /etc/environment. When I unset this proxy, installation of replica was successful. 

So, apparently, when request module failed to connect to master thru http/https, it threw "SSL verification failed" which is misleading. Proxy replied with another CA certificate so error should say something like "Certificate mismatch" - client already downloaded IPA CA certificate to trusted CA repository. Also, proxy reply came from other IP than IPA master, so maybe some check for http/s traffic hijack could be also a good to implement.
-----

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.7
ipa-server-4.6.5-11

How reproducible:
Always

Actual results:
# ipa-replica-install --password 'random_password' --server idm.example.com --domain example.com --setup-dns --setup-ca --no-forwarder

ipapython.admintool: DEBUG    The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR    [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected results:
ipa-replica-install should perform a sanity check of the environment for proxy configuration, or scrub the environment so that proxy configuration does not cause installation to fail.

Additional info:
Frase Tweedal has the following suggestion in idm-tech mailing list:

Please file the RFE, but I think rather than change the error message, it should be to either sanity check the environment for proxy configuration, or scrub the environment so that proxy configuration does not cause installation to fail.

I don't think there's much we can do about the error message - certificate mismatch is what is causing the SSL/TLS verification failure. Most of the time a TLS library does not distinguish these cases.
Comment 3 Christian Heimes 2020-01-09 13:39:15 UTC 
There is an existing upstream ticket for the problem, https://pagure.io/freeipa/issue/5555