Bug 2066308

Summary: ipa-healthcheck incorrectly complains about mismatching certificates.
Product: Red Hat Enterprise Linux 8 Reporter: Têko Mihinto <tmihinto>
Component: ipa-healthcheckAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: fcami, frenaud, mpolovka, rjeffman, ssidhaye
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-healthcheck-0.7-12.module+el8.7.0+14713+9764d4cb Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2067213 (view as bug list) Environment:
Last Closed: 2022-11-08 09:35:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2067213    

Description Têko Mihinto 2022-03-21 13:14:12 UTC 
Description of problem:
ipa-healthcheck is complaining about a mismatch between certificates in LDAP and the associated ones in NSS DB.

For instance:

# ipa-healthcheck --debug --verbose --failures-only
...
{
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPADogtagCertsMatchCheck",
    "result": "ERROR",
    "uuid": "9983f519-26c6-4098-a11c-d7ccbf906176",
    "when": "20220307071047Z",
    "duration": "68.469356",
    "kw": {
      "key": "ocspSigningCert cert-pki-ca",
      "nickname": "ocspSigningCert cert-pki-ca",
      "dbdir": "/etc/pki/pki-tomcat/alias",
      "msg": "{nickname} certificate in NSS DB {dbdir} does not match entry in LDAP"
    }
...
#

Version-Release number of selected component (if applicable):

$ grep ipa-healthcheck <SOS_REPORT>/installed-rpms 
ipa-healthcheck-0.7-6.module+el8.5.0+11410+91a33fe4.noarch  Tue Dec  7 10:21:52 2021
ipa-healthcheck-core-0.7-6.module+el8.5.0+11410+91a33fe4.noarch Tue Dec  7 10:20:23 2021
$
$ cat <SOS_REPORT>/etc/redhat-release 
Red Hat Enterprise Linux release 8.5 (Ootpa)
$


How reproducible:
Always on the customer site.

Steps to Reproduce:
Run this ipa-healthcheck command:
# ipa-healthcheck --debug --verbose --failures-only

Actual results:
The tool reports that there is a mismatch between the certificates in LDAP and NSS DB. 

Expected results:
Provide more information ( eg: the LDAP DN of the certificate being compared ) in debug or verbose mode.

Additional info:
1) There are 3 LDAP entries for the certificate "OCSP Subsystem" and one of them is matching the data in the NSS DB.
==> Does the tool compare all relevant certificates in LDAP with the one in the NSS DB?

2) There are almost 20K certificates under "ou=certificateRepository,ou=ca,o=ipaca".
==> Any time or size limit being applied?
Comment 2 Florence Blanc-Renaud 2022-03-22 08:34:54 UTC 
The check IPADogtagCertsMatchCheck is reading the certs from ou=certificateRepository,ou=ca,o=ipaca and checks if the tree contains an ldap entry satisfying the 2 following items:
- the 'userCertificate' attribute must contain the same value as the cert read from /etc/pki/pki-tomcat/alias (with nickname ocspSigningCert cert-pki-ca)
- the 'subjectName' attribute must contain CN=OCSP Subsystem,O=<realm>

I think this BZ is a real issue because ipa-healthcheck is hardcoding the expected subject name, but IdM provides an option allowing to customize the subject base of its certificates (with ipa-server-install --subject-base=SUBJECT). The expected subject name should be:
CN=OCSP Subsystem,<subject-base>
instead of
CN=OCSP Subsystem,O=<realm>

The subject base can be found in the file /var/lib/ipa/sysupgrade/sysupgrade.state
# cat /var/lib/ipa/sysupgrade/sysupgrade.state
[certmap.conf]
subject_base = O=ALTNAME.TEST,C=OTHER
...

The following method can be used to find the subject base:
https://github.com/freeipa/freeipa/blob/67488d2342577cd226539c72d2a79362d9736b30/ipaserver/install/dsinstance.py#L1287

from ipaserver.install import dsinstance
subject_base = dsinstance.DsInstance().find_subject_base()


Relevant code to be fixed in ipa-healthcheck:
https://github.com/freeipa/freeipa-healthcheck/blob/b4af69d246a40f099c24d509fcf6e60a6d99c17e/src/ipahealthcheck/ipa/certs.py#L777
----- 8< -----
        expected_nicks_subjects = {
            'ocspSigningCert cert-pki-ca':
                'CN=OCSP Subsystem,O=%s' % api.env.realm,
            'subsystemCert cert-pki-ca':
                'CN=CA Subsystem,O=%s' % api.env.realm,
            'auditSigningCert cert-pki-ca':
                'CN=CA Audit,O=%s' % api.env.realm,
            'Server-Cert cert-pki-ca':
                'CN=%s,O=%s' % (api.env.host, api.env.realm),
        }

----- >8 -----
Comment 4 Rob Crittenden 2022-03-29 16:52:15 UTC 
Fixed upstream: a720d10e2c0d901fbc923985f8b7db0ee601fc55
Comment 17 errata-xmlrpc 2022-11-08 09:35:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7540