Bug 1998016

Summary: RA key import failing during pki instance creation on RHEL9.0 replica from RHEL8.4 server
Product: Red Hat Enterprise Linux 9 Reporter: Kaleem <ksiddiqu>
Component: pki-coreAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: aakkiang, abokovoy, amore, ckelley, dpunia, edewata, jmagne, mharmsen, pcech, rcritten, rhcs-maint, skhandel, ssidhaye, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: ckelley: needinfo-
ckelley: needinfo-
ckelley: needinfo-
ckelley: needinfo-
pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-11.0.1-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 12:41:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2032806    

Description Kaleem 2021-08-26 09:37:08 UTC 
Description of problem:

RA key import failing during PKI instance creation..

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: creating certificate server db
  [2/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded

  [3/29]: creating ACIs for admin
  [4/29]: creating installation admin user
  [5/29]: configuring certificate server instance
  [6/29]: stopping certificate server instance to update CS.cfg
  [7/29]: backing up CS.cfg
  [8/29]: Add ipa-pki-wait-running
  [9/29]: secure AJP connector
  [10/29]: reindex attributes
  [11/29]: exporting Dogtag certificate store pin
  [12/29]: disabling nonces
  [13/29]: set up CRL publishing
  [14/29]: enable PKIX certificate path discovery and validation
  [15/29]: authorizing RA to modify profiles
  [16/29]: authorizing RA to manage lightweight CAs
  [17/29]: Ensure lightweight CAs container exists
  [18/29]: destroying installation admin user
  [19/29]: starting certificate server instance
  [20/29]: Finalize replication settings
  [21/29]: configure certmonger for renewals
  [22/29]: Importing RA key
Error storing key "keys/ra/ipaCert": CalledProcessError(Command ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] returned non-zero exit status 1: 'Traceback (most recent call last):\n  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in <module>\n    main(ra_agent_parser())\n  File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line 114, in main\n    common.main(parser, export_key, import_key)\n  File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line 73, in main\n    func(args, tmpdir, **kwargs)\n  File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line 69, in import_key\n    ipautil.run(cmd, umask=0o027)\n  File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n    raise CalledProcessError(\nipapython.ipautil.CalledProcessError: CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', \'/tmp/tmp04xw30vu/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', \'/var/lib/ipa/ra-agent.pem\', \'-password\', \'file:/tmp/tmp04xw30vu/passwd\'] returned non-zero exit status 1: \'Error outputting keys and certificates\\n007CB411E27F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n')
  [error] FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

[Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key'
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information


Version-Release number of selected component (if applicable):
[root@replica ~]# rpm -q ipa 389-ds-base pki-ca
package ipa is not installed
389-ds-base-2.0.8-1.el9.x86_64
pki-ca-11.0.0-0.4.alpha1.el9.noarch
[root@replica ~]#

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL8.4 IPA master
2. Install RHEL9.0 IPA replica against RHEL8.4 IPA server
3.

Actual results:
Replica install fails during pki instance creation

Expected results:
Replica install should be successful
Comment 2 François Cami 2021-08-26 12:30:11 UTC 
Taking as I'm investigating this.
Comment 3 François Cami 2021-08-26 18:31:14 UTC 
Reproduced. 
This is similar to https://github.com/dogtagpki/pki/pull/3590.
Comment 19 Alexander Bokovoy 2021-12-15 09:56:47 UTC 
So my thinking is that there are two parts here:

 - pki-core fix in bug 1998016 is required but not enough. It only fixes the first step -- when RA Agent file is generated, it is no longer encrypted with a legacy cipher

 - IPA needs to drop encryption of existing RA Agent file generated with older PKI version _before_ submitting it to replica via Custodia. This will be handled via bug 2032806.

For RHCS, I think, this is also valid, so some sort of a way to handle upgrade would be needed if RHCS supports in-place upgrade from RHEL 8 to RHEL 9.
Comment 24 Jack Magne 2022-02-08 00:51:38 UTC 
I've followed this issue to the other ipa bug referenced which seems to be resolved:   bug 2032806.

The question is there more to be done from the pki side for this?

The following irc trace was provided to me by edewata:


[Friday, February 4, 2022] [8:58:21 AM CST] <cheimes> ab / ckelley: I just finish running some tests. The ca-agent.p12 file uses a weak, problematic encryption algo.
[Friday, February 4, 2022] [8:58:36 AM CST] <cheimes> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 600000
[Friday, February 4, 2022] [8:58:40 AM CST] Nick vvanhaft is now known as vvanhaft|afk.
[Friday, February 4, 2022] [8:58:59 AM CST] <cheimes> cacert.p12 is better: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA1
[Friday, February 4, 2022] [8:59:26 AM CST] <cheimes> Tested on RHEL 8.5 with pki-ca-10.11.2-2.module+el8.5.0+12735+8eb38ccc
[Friday, February 4, 2022] [9:00:15 AM CST] <ckelley> cheimes: yeah the stripping out of SHA-1 in pki-core/jss went in after the 9.0 branching so there is probably a lot of that sort of thing happening.
[Friday, February 4, 2022] [9:00:31 AM CST] <cheimes> http://pastebin.test.redhat.com/1027132
[Friday, February 4, 2022] [9:00:45 AM CST] <cheimes> 3DES is more of a problem


I was wondering if it has been isolated as to what command is being called from pkispawn to isolate this issue, or is it some test program that is the issue? If so it would be great to attempt to trace down what piece of code is allegedly using DES3 as reported here. thanks
Comment 32 errata-xmlrpc 2022-05-17 12:41:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: pki-core), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2376