Bug 829086

Summary: ipa-replica-install using pkcs12 files failed with TLS hostname does not match CN in peer certificate
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-07 16:28:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2012-06-05 22:27:28 UTC 
Description of problem:

After uninstalling and re-installing an IPA replica using pcks12 options for gpg file, I am seeing some errors:

:: [17:43:14] ::  EXECUTING: ipa-replica-install -U --setup-dns --no-forwarders -w XXXXXXXX -p XXXXXXXX /dev/shm/replica-info-qe-blade-11.testrelm.com.gpg
[root@qe-blade-11 shm]#                 rlRun "/bin/bash /dev/shm/replica-install.bash" 0 "Replica installation"
Run connection check to master
Check connection from replica to remote master 'storm.testrelm.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica 'qe-blade-11.testrelm.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
  [17/30]: configuring certmap.conf
  [18/30]: configure autobind for root
  [19/30]: configure new location for managed entries
  [20/30]: restarting directory server
  [21/30]: setting up initial replication
creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
:: [   FAIL   ] :: Replica installation (Expected 0, got 1)


Version-Release number of selected component (if applicable):

ipa-server-2.2.0-16.el6.x86_64
389-ds-base-1.2.10.2-15.el6.x86_64

How reproducible:
always or very close to it.

Steps to Reproduce:
1.  <setup rhel 6.3 IPA master>
2.  <create replica gpg file using pkcs#12 options>
3.  <download gpg file to replica>
4.  ipa-replica-install # as above
  
Actual results:

Fails with TLS hostname error.


Expected results:

properly installs the replica.

Additional info:

gpg file created like this:

rm -fr /var/lib/ipa/replica-info-*
certutil -L -d /etc/httpd/alias/ -n "Server-Cert" -a > /var/tmp/httpdcacert.asc
openssl x509 -text -in /var/tmp/httpdcacert.asc 
certutil -L -d /etc/dirsrv/slapd-PKI-IPA/ -n "Server-Cert" -a /var/tmp/dirsrvcacert.asc
openssl x509 -text -in /var/tmp/dirsrvcacert.asc
http_nss_cert_db_pin=`cat /etc/httpd/alias/pwdfile.txt`
dirsrv_nss_cert_db_pin=`cat /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt`
/usr/bin/pk12util -o http_pkcs.p12 -d /etc/httpd/alias/ -n Server-Cert

....output1....
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
....end1....

ipa-replica-prepare -p XXXXXXXX --ip-address=10.16.76.42 qe-blade-11.testrelm.com --dirsrv_pkcs12=dirsrv_pkcs.p12 --dirsrv_pin=XXXXXXXX --http_pkcs12=http_pkcs.p12 --http_pin=XXXXXXXX

....output2....
Warning: Hostname (qe-blade-11.testrelm.com) not found in DNS
Preparing replica for qe-blade-11.testrelm.com from storm.testrelm.com
Copying SSL certificate for the Directory Server from dirsrv_pkcs.p12
Creating SSL certificate for the dogtag Directory Server
Copying SSL certificate for the Web Server from http_pkcs.p12
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-qe-blade-11.testrelm.com.gpg
Adding DNS records for qe-blade-11.testrelm.com
Using reverse zone 76.16.10.in-addr.arpa.
....end2....


On Replica from ipareplica-install.log:

2012-06-05T21:43:45Z DEBUG   [21/30]: setting up initial replication
2012-06-05T21:43:49Z DEBUG args=/sbin/service dirsrv restart TESTRELM-COM
2012-06-05T21:43:49Z DEBUG stdout=Shutting down dirsrv: 
    TESTRELM-COM...[  OK  ]
Starting dirsrv: 
    TESTRELM-COM...[  OK  ]

2012-06-05T21:43:49Z DEBUG stderr=
2012-06-05T21:43:49Z DEBUG {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"}
  File "/usr/sbin/ipa-replica-install", line 496, in <module>
    main()

  File "/usr/sbin/ipa-replica-install", line 432, in main
    ds = install_replica_ds(config)

  File "/usr/sbin/ipa-replica-install", line 147, in install_replica_ds
    pkcs12_info)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 282, in create_replica
    self.start_creation("Configuring directory server", 60)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 292, in __setup_replica
    self.dm_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 124, in __init__
    self.conn.do_simple_bind(bindpw=dirman_passwd)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 378, in do_simple_bind
    self.__bind_with_wait(self.simple_bind_s, timeout, binddn, bindpw)

  File "/usr/lib/python2.6/site-packages/ipaserver/ipaldap.py", line 352, in __bind_with_wait
    raise e
Comment 2 Scott Poore 2012-06-06 03:17:11 UTC 
Using gpg|tar, I extracted files working and broken and compared.  

gpg -d replica-info-qe-blade-11.testrelm.com.gpg | tar xvf -

For one, the system/automatically generated ones did not have pins set?

[root@qe-blade-11 shm]# diff -r realm_info.works realm_info.bad
...
diff -r realm_info.works/dirsrv_pin.txt realm_info.bad/dirsrv_pin.txt
1c1
< 
---
> XXXXXXXX
diff -r realm_info.works/http_pin.txt realm_info.bad/http_pin.txt
1c1
< 
---
> XXXXXXXX
...

For another, some files are missing?


[root@qe-blade-11 shm]#  ls realm_info.works realm_info.bad
realm_info.bad:
ca.crt         dirsrv_pin.txt  dscert.p12    http_pin.txt      pwdfile.txt       realm_info
configure.jar  dogtagcert.p12  httpcert.p12  preferences.html  pwdfile.txt.orig

realm_info.works:
cacert.p12     dirsrv_pin.txt  httpcert.p12      pwdfile.txt       realm_info
ca.crt         dogtagcert.p12  http_pin.txt      pwdfile.txt.orig
configure.jar  dscert.p12      preferences.html  ra.p12
Comment 3 Rob Crittenden 2012-06-06 13:09:11 UTC 
If I'm reading this correctly there are two problems.

1. You can't copy certificates from one machine and expect them to work on another. That is likely the source of the hostname not matching but I'd need to see the output to be sure. On a given machine the CN of the cert needs to match the hostname.

2. It appears that you created PKCS#12 files containing just a public cert but not a private key. What you want to do is create a temporary NSS database, generate a CSR and use ipa cert-request to generate a certificate. Then use pk12util to create the files from that temporary NSS database.

Note that in the real world #2 won't work because in order to install a replica the host cannot already exist. In order to create a certificate a service must exist, which requires a host.

So the sequence looks like this:

ipa host-add foo
ipa cert-request --add --principal=HTTP/foo <CSR>
<various PKCS#12 commands>
...
ipa-replica-install ...

[ fail, host foo exists, delete it]

ipa host-del foo

The certs you pre-created are now revoked.

This will work in a test environment though as we don't do CRL checking by default.
Comment 5 Scott Poore 2012-06-07 16:28:50 UTC 
Rob, thanks.  I was able to get this working per your suggestion with the following:

<snip>
mkdir /tmp/httpcert
cd /tmp/httpcert
echo "mytestnoisefile: asflasdfjl@#R%W@t4tlkihjhaldkhjetralkjakdlasdfsadgfag4lk<F4>^W@%lkj" > noise.txt
echo "$ADMINPW" > pwdfile.txt
certutil -d . -N -f pwdfile.txt
certutil -R -s "CN=$SLAVE,O=$RELM" -d . -a -z noise.txt -f pwdfile.txt > $SLAVE.csr
ipa cert-request $SLAVE.csr --add --principal=http/$SLAVE > ipa-cert-request.http.$SLAVE.tmp
wget http://$MASTER/ipa/config/ca.crt
certutil -A -d . -n 'IPA CA' -t CT,, -a < ca.crt
ipa service-show http/$SLAVE --out=$SLAVE.crt
certutil -A -n $SLAVE -d . -t u,u,u -a < $SLAVE.crt
certutil -L -d . -n $SLAVE -a > httpdcacert.asc
pk12util -o http_pkcs.p12 -d . -n $SLAVE -w pwdfile.txt -k pwdfile.txt

mkdir /tmp/ldapcert
cd /tmp/ldapcert
echo "mytestnoisefile: asflasdfjl@#R%W@t4tlkihjhaldkhjetralkjakdlasdfsadgfag4lk<F4>^W@%lkj" > noise.txt
echo "$ADMINPW" > pwdfile.txt
certutil -d . -N -f pwdfile.txt
certutil -R -s "CN=$SLAVE,O=$RELM" -d . -a -z noise.txt -f pwdfile.txt > $SLAVE.csr
ipa cert-request $SLAVE.csr --add --principal=ldap/$SLAVE > ipa-cert-request.ldap.$SLAVE.tmp
wget http://$MASTER/ipa/config/ca.crt
certutil -A -d . -n 'IPA CA' -t CT,, -a < ca.crt
ipa service-show ldap/$SLAVE --out=$SLAVE.crt
certutil -A -n $SLAVE -d . -t u,u,u -a < $SLAVE.crt
certutil -L -d . -n $SLAVE -a > dirsrvcacert.asc
pk12util -o 2dirsrv_pkcs.p12 -d . -n $SLAVE -w pwdfile.txt -k pwdfile.txt


ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $SLAVE --dirsrv_pkcs12=ldap/dirsrv_pkcs.p12 --dirsrv_pin=$ADMINPW --http_pkcs12=http/http_pkcs.p12 --http_pin=$ADMINPW

ipa host-del $SLAVE
</snip>

I was also able to do it using the dscert.p12 and httpcert.p12 files from a normally created gpg file as you suggested.  

I'm going to close this as NOTABUG.   Thanks again