Red Hat Bugzilla – Bug 1031111
ipa-client: add root CA to trust anchors if not already available
Last modified: 2015-03-05 05:10:01 EST
Description of problem: currently, when machine is added to FreeIPA/IdM domain and FreeIPAs certificate is not among trust anchors of the system, administrator has to add it (or the CA that signed IdM's CA) to the trust anchors manually. This task can be automated for administrator thanks to Shared System Certificates: 1. export freeipa CA (or some CA in its chain) to pem file 2. move/copy the pem file to /etc/pki/ca-trust/source/anchors/ 3. call 'update-ca-trust' In future releases of p11-kit, the procedure will be simplified by merging steps 2+3 to a single command: trust anchor /path/to/exported_cert.pem Version-Release number of selected component (if applicable): ipa-client-3.3.3-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. add host to ipa domain using ipa-client-install 2. look if IdM's CA cert (or it's root CA certificate) is installed 3. Actual results: CA anchor must be manually added (or be in store prior to ipa-client-install time) Expected results: CA anchor is added as part of ipa-client-install Additional info: This upstream ticket seems to deal with the same issue: https://fedorahosted.org/freeipa/ticket/3504
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3504
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/4a0e91449e2b65304ae8d660d1a480200b1a13d3
If this gets backported to RHEL 7, could we also get it for F19 and F20? I just ran into this today (writing a blog post about it ATM), it'd be nice for people not to have to work out / find out about the workaround.
This commit is part of FreeIPA 4.0+ builds, as such it is only officially built for F21 and older. For older Fedoras (and EPEL-7 in future), we are maintaining a COPR repo: http://copr.fedoraproject.org/coprs/mkosek/freeipa/ If this is not sufficient and the bug is blocking you, I would be open to backport the patch to older FreeIPA 3.3.x releases. Please file official Fedora bug request in that case.
Should I see /etc/pki/ca-trust/source/anchors/ipa-ca.crt? I do not see this file at the end of ipa-client-install. Version :: ipa-client-4.1.0-16.el7.x86_64 This was installing client for master with self signed ca cert. [root@rhel7-2 ~]# ipa-client-install Discovery was successful! Hostname: rhel7-2.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: rhel7-1.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Tue Jan 27 19:19:00 2015 UTC Valid Until: Sat Jan 27 19:19:00 2035 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://rhel7-1.example.com/ipa/json Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. Hostname (rhel7-2.example.com) not found in DNS DNS server record set to: rhel7-2.example.com -> 192.168.122.72 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. [root@rhel7-2 ~]# certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA CT,C,C [root@rhel7-2 ~]# ls -l /etc/pki/ca-trust/source/anchors/ total 0 From the logs, I see: 2015-01-27T19:24:01Z DEBUG Adding CA certificates to the IPA NSS database. 2015-01-27T19:24:01Z DEBUG Starting external process 2015-01-27T19:24:01Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C' 2015-01-27T19:24:01Z DEBUG Process finished, return code=0 2015-01-27T19:24:01Z DEBUG stdout= 2015-01-27T19:24:01Z DEBUG stderr= 2015-01-27T19:24:01Z DEBUG Starting external process 2015-01-27T19:24:01Z DEBUG args='/usr/bin/update-ca-trust' 2015-01-27T19:24:02Z DEBUG Process finished, return code=0 2015-01-27T19:24:02Z DEBUG stdout= 2015-01-27T19:24:02Z DEBUG stderr= 2015-01-27T19:24:02Z INFO Systemwide CA database updated. 2015-01-27T19:24:02Z DEBUG Attempting to add CA certificates to the default NSS database. 2015-01-27T19:24:02Z DEBUG Starting external process 2015-01-27T19:24:02Z DEBUG args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C' 2015-01-27T19:24:02Z DEBUG Process finished, return code=0 2015-01-27T19:24:02Z DEBUG stdout= 2015-01-27T19:24:02Z DEBUG stderr= 2015-01-27T19:24:02Z INFO Added CA certificates to the default NSS database. Is this expected behavior?
Verified. Ok. Jan Cholasta pointed me to check /etc/pki/ca-trust-source/ipa.p11-kit. Version :: ipa-client-4.1.0-16.el7.x86_64 Results :: So, between successful log entries in comment #7 and seeing this file in place, this is verified. [root@rhel7-2 ~]# ls -ld /etc/pki/ca-trust/source/ipa.p11-kit -rw-r--r--. 1 root root 3566 Jan 27 13:24 /etc/pki/ca-trust/source/ipa.p11-kit
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html