Bug 818844

Summary: MozNSS CA cert dir does not work together with PEM CA cert file
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.3CC: dspurek, jgalipea, jsynacek, jvcelak, mkosek, omoris, rmeggins, sgallagh, syeghiay, tsmetana
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openldap-2.4.23-26.el6 Doc Type: Bug Fix
Doc Text:
- TLS_CACERTDIR set to Mozilla NSS certificate database, TLS_CACERT set to PEM bundle with CA certificates, connecting to remote LDAP server with TLS enabled - certificates from PEM bundle were not loaded, validation of remote certificate failed if the signing CA certificate was present only in PEM CA bundle specified by TLS_CACERT - patch applied to allow loading of CA certificates from PEM bundle file, if Mozilla NSS certificate database is set up as well - in the described situation, CA certificates from both Mozilla NSS certificate database and PEM bundle are available, so the validation would proceed as expected
Story Points: ---
Clone Of: 818723
: 819536 (view as bug list) Environment:
Last Closed: 2012-06-20 07:32:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 818723    
Bug Blocks: 819536    

Description Martin Kosek 2012-05-04 07:36:31 UTC
+++ This bug was initially created as a clone of Bug #818723 +++

Description of problem:

Install latest RHEL 6.3 distro with openldap-clients-2.4.23-25.el6.

Install ipa-server, uninstall ipa-server and re-install ipa-server.

Server install will fail on installing and configuring the ipa client.

openldap-clients now uses NSS cert db

# ls /etc/openldap/certs/
cert8.db  key3.db  password  secmod.db


If you move these files, and try again .. client install is successful.

<snip>

Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server dhcp-186-52.testrelm.com --realm TESTRELM.COM --hostname dhcp-186-52.testrelm.com' returned non-zero exit status 1

</snip>

Client install log ::

{{{

2012-05-03T19:34:59Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-05-03T19:34:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2012-05-03T19:34:59Z DEBUG [ipadnssearchkrb]
2012-05-03T19:34:59Z DEBUG [ipacheckldap]
2012-05-03T19:34:59Z DEBUG args=/usr/bin/wget -O /tmp/tmpBXaaZ0/ca.crt -T 15 -t 2 http://dhcp-186-52.testrelm.com/ipa/config/ca.crt
2012-05-03T19:34:59Z DEBUG stdout=
2012-05-03T19:34:59Z DEBUG stderr=--2012-05-03 15:34:59--  http://dhcp-186-52.testrelm.com/ipa/config/ca.crt
Resolving dhcp-186-52.testrelm.com... 10.16.186.52
Connecting to dhcp-186-52.testrelm.com|10.16.186.52|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1325 (1.3K) [application/x-x509-ca-cert]
Saving to: “/tmp/tmpBXaaZ0/ca.crt”

     0K .                                                     100%  158M=0s

2012-05-03 15:34:59 (158 MB/s) - “/tmp/tmpBXaaZ0/ca.crt” saved [1325/1325]


2012-05-03T19:34:59Z DEBUG Init ldap with: ldap://dhcp-186-52.testrelm.com:389
2012-05-03T19:34:59Z ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
2012-05-03T19:34:59Z DEBUG will use domain: testrelm.com

2012-05-03T19:34:59Z DEBUG will use server: dhcp-186-52.testrelm.com

}}}


Version-Release number of selected component (if applicable):
ipa-client-2.2.0-12.el6.i686
ipa-server-2.2.0-12.el6.i686
openldap-clients-2.4.23-25.el6.i686

How reproducible:


Steps to Reproduce:
1. install latest 6.3 distro 
2. install ipa-server
3. uninstall ipa-server
4. install ipa-server
  
Actual results:
re-install of ipa-server fails on install and config of the ipa-client

Expected results:
successful installation

Additional info:

--- Additional comment from jvcelak on 2012-05-03 17:21:07 EDT ---

We set TLS_CACERTDIR to /etc/openldap/certs in ldap.conf with default openldap installation. This change was introduced as a fix for bug #742023. This might be the cause.

--- Additional comment from mkosek on 2012-05-04 03:35:41 EDT ---

Together with Jan Vcelak I investigated this issue in ipa-client-install. The issue only occurs when the new openldap nss db is set in TLS_CACERTDIR configuration option. When its commented out in /etc/openldap/ldap.conf or

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "")

is added to the LDAP connection initialization in ipa-client-install, the installation works OK. The second change can be used as a workaround until the issue in openldap is fixed.

Comment 1 Jan Vcelak 2012-05-04 08:03:18 UTC
When TLS_CACERTDIR is set and valid, TLS_CACERT setting is skipped.

Comment 14 Jan Vcelak 2012-05-07 18:21:57 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- TLS_CACERTDIR set to Mozilla NSS certificate database, TLS_CACERT set to PEM bundle with CA certificates, connecting to remote LDAP server with TLS enabled
- certificates from PEM bundle were not loaded, validation of remote certificate failed if the signing CA certificate was present only in PEM CA bundle specified by TLS_CACERT
- patch applied to allow loading of CA certificates from PEM bundle file, if Mozilla NSS certificate database is set up as well
- in the described situation, CA certificates from both Mozilla NSS certificate database and PEM bundle are available, so the validation would proceed as expected

Comment 16 errata-xmlrpc 2012-06-20 07:32:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0899.html