Bug 1892216
| Summary: | openjdk z-stream broke freeipa installation | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Michele Baldessari <michele> | |
| Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> | |
| Status: | CLOSED ERRATA | QA Contact: | OpenJDK QA <java-qa> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 8.2 | CC: | abokovoy, abroy, ahughes, aph, arajendr, bbhavsar, cww, dchen, dciabrin, edewata, elicohen, fcami, ferryw, igarcia, jpazdziora, jvanek, ldelouw, lkuchlan, lmiccini, mbalao, mmillson, neugens, nweinber, orion, pmorey, rcritten, rom, sgehwolf, suwu, tmihinto, tscherf, xdong | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | java-1.8.0-openjdk-1.8.0.272.b10-6.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1893757 1893758 1904098 1960547 (view as bug list) | Environment: | ||
| Last Closed: | 2021-05-18 15:31:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1895060 | |||
| Bug Blocks: | 1893757, 1893758, 1960547 | |||
The fix should really be in openjdk. We've seen this multiple times in Fedora as well. *** Bug 1892515 has been marked as a duplicate of this bug. *** *** Bug 1892555 has been marked as a duplicate of this bug. *** Downgrading on CentOS8 doesn't work. It produces an error: lowest version already installed, cannot downgrade it Is there some reason why this solution would work on RHEL, but not on CentOS? (In reply to Andrew John Hughes from comment #43) > > > > I don't quite understand. Is it a bug in OpenJDK or FreeIPA? > > > > It's both :-) > > The initial bug is in FreeIPA. It claims to implement the type > RSAPrivateKey, but it only returns null for the only method of that type, > getPrivateExponent(). Just to correct: there are two bugs: one in OpenJDK, one in JSS library used by Dogtag. Neither requires changes in FreeIPA itself -- Dogtag is FreeIPA's dependency but FreeIPA itself doesn't use JSS. Right.
In testing, the client is requesting:
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha224, ecdsa_sha1, rsa_sha224, rsa_pkcs1_sha1, dsa_sha224, dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512]
The first ones are inapplicable because an RSA key is being used ("sslserver private or public key is not of EC algorithm").
So it tries rsa_pss_pss_sha256.
With the JSS bug, this crashes.
If the JSS bug is fixed, the key is rejected by rsa_pss_pss_sha256 but OpenJDK does not try any of the others.
With the OpenJDK bug fixed, rsa_pkcs1_sha256 will be used.
*** Bug 1895677 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1795 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |
Description of problem: (Not sure this has already been reported, our searching failed us miserably. Apologies if we missed the existing BZ) Luca Miccini noticed that our CI stated failing two days ago and he diagnosed the issue to be related to a jdk zstream. Our starting point in terms of rpm versions is the following (this is RHEL-8.2): [root@freeipa-0 ~]# rpm -qa |grep -e openjdk -e ipa -e pki redhat-logos-ipa-81.1-1.el8.noarch python3-pki-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch pki-tools-10.8.3-2.module+el8.2.0+6294+b7db4606.x86_64 ipa-client-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64 ipa-server-dns-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch java-1.8.0-openjdk-headless-1.8.0.272.b10-1.el8_2.x86_64 ipa-common-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch java-1.8.0-openjdk-devel-1.8.0.272.b10-1.el8_2.x86_64 python3-libipa_hbac-2.2.3-20.el8.x86_64 sssd-ipa-2.2.3-20.el8.x86_64 ipa-healthcheck-core-0.4-4.module+el8.2.0+5489+95477d9f.noarch pki-base-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch krb5-pkinit-1.17-18.el8.x86_64 pki-symkey-10.8.3-2.module+el8.2.0+6294+b7db4606.x86_64 pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch pki-base-java-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch pki-server-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch pki-kra-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch ipa-server-common-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch python3-ipaclient-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch python3-ipaserver-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64 ipa-client-common-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2.x86_64 libipa_hbac-2.2.3-20.el8.x86_64 python3-ipalib-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch pki-ca-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch [root@freeipa-0 tmp]# date && ./freeipa_setup.sh Wed Oct 28 04:00:50 EDT 2020 This will fail with: Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmprm0e_2s6'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: Server unreachable due to SSL error: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\ n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/depl oyment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelpe r.py", line 911, in wait_for_startup\n raise Exception(\'Server unreachable due to SSL error: %s\' % reason) from exc\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information This started failing with the new openjdk package. When downgrading it, everything works again. java-1.8.0-openjdk-1:1.8.0.272.b10-1.el8_2.x86_64 -> Breaks FreeIPA install java-1.8.0-openjdk-devel-1:1.8.0.265.b01-0.el8_2.x86_64 -> Works correctly with FreeIPA install After downgrading the package with: if rpm -q --queryformat '%{version}' java-1.8.0-openjdk |grep "1.8.0.272"; then dnf downgrade -y java-1.8.0-openjdk java-1.8.0-openjdk-headless; fi The installation of freeipa proceeded normally (java-1.8.0-openjdk-1.8.0.265.b01-0.el8_2.x86_64 is what we downgraded to): ... Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete ... Log files/sosreports can be found here: http://file.rdu.redhat.com/~mbaldess/freeipa-jdk-bz/