Bug 1031111 - ipa-client: add root CA to trust anchors if not already available
ipa-client: add root CA to trust anchors if not already available
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-15 11:06 EST by David Jaša
Modified: 2015-03-05 05:10 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:10:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2013-11-15 11:06:34 EST
Description of problem:
currently, when machine is added to FreeIPA/IdM domain and FreeIPAs certificate is not among trust anchors of the system, administrator has to add it (or the CA that signed IdM's CA) to the trust anchors manually. This task can be automated for administrator thanks to Shared System Certificates:
1. export freeipa CA (or some CA in its chain) to pem file
2. move/copy the pem file to /etc/pki/ca-trust/source/anchors/
3. call 'update-ca-trust'
In future releases of p11-kit, the procedure will be simplified by merging steps 2+3 to a single command: trust anchor /path/to/exported_cert.pem

Version-Release number of selected component (if applicable):
ipa-client-3.3.3-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. add host to ipa domain using ipa-client-install
2. look if IdM's CA cert (or it's root CA certificate) is installed
3.

Actual results:
CA anchor must be manually added (or be in store prior to ipa-client-install time)

Expected results:
CA anchor is added as part of ipa-client-install

Additional info:
This upstream ticket seems to deal with the same issue: https://fedorahosted.org/freeipa/ticket/3504
Comment 1 Martin Kosek 2013-11-17 16:05:30 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3504
Comment 2 Petr Viktorin 2013-11-20 07:17:23 EST
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/4a0e91449e2b65304ae8d660d1a480200b1a13d3
Comment 4 Adam Williamson 2014-09-06 16:58:01 EDT
If this gets backported to RHEL 7, could we also get it for F19 and F20? I just ran into this today (writing a blog post about it ATM), it'd be nice for people not to have to work out / find out about the workaround.
Comment 5 Martin Kosek 2014-09-11 06:09:14 EDT
This commit is part of FreeIPA 4.0+ builds, as such it is only officially built for F21 and older. For older Fedoras (and EPEL-7 in future), we are maintaining a COPR repo:

http://copr.fedoraproject.org/coprs/mkosek/freeipa/

If this is not sufficient and the bug is blocking you, I would be open to backport the patch to older FreeIPA 3.3.x releases. Please file official Fedora bug request in that case.
Comment 7 Scott Poore 2015-01-27 14:47:00 EST
Should I see /etc/pki/ca-trust/source/anchors/ipa-ca.crt?

I do not see this file at the end of ipa-client-install.

Version ::

ipa-client-4.1.0-16.el7.x86_64

This was installing client for master with self signed ca cert.

[root@rhel7-2 ~]# ipa-client-install
Discovery was successful!
Hostname: rhel7-2.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Tue Jan 27 19:19:00 2015 UTC
    Valid Until: Sat Jan 27 19:19:00 2035 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (rhel7-2.example.com) not found in DNS
DNS server record set to: rhel7-2.example.com -> 192.168.122.72
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-2 ~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C

[root@rhel7-2 ~]# ls -l /etc/pki/ca-trust/source/anchors/
total 0

From the logs, I see:

2015-01-27T19:24:01Z DEBUG Adding CA certificates to the IPA NSS database.
2015-01-27T19:24:01Z DEBUG Starting external process
2015-01-27T19:24:01Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C'
2015-01-27T19:24:01Z DEBUG Process finished, return code=0
2015-01-27T19:24:01Z DEBUG stdout=
2015-01-27T19:24:01Z DEBUG stderr=
2015-01-27T19:24:01Z DEBUG Starting external process
2015-01-27T19:24:01Z DEBUG args='/usr/bin/update-ca-trust'
2015-01-27T19:24:02Z DEBUG Process finished, return code=0
2015-01-27T19:24:02Z DEBUG stdout=
2015-01-27T19:24:02Z DEBUG stderr=
2015-01-27T19:24:02Z INFO Systemwide CA database updated.
2015-01-27T19:24:02Z DEBUG Attempting to add CA certificates to the default NSS database.
2015-01-27T19:24:02Z DEBUG Starting external process
2015-01-27T19:24:02Z DEBUG args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C'
2015-01-27T19:24:02Z DEBUG Process finished, return code=0
2015-01-27T19:24:02Z DEBUG stdout=
2015-01-27T19:24:02Z DEBUG stderr=
2015-01-27T19:24:02Z INFO Added CA certificates to the default NSS database.

Is this expected behavior?
Comment 8 Scott Poore 2015-01-28 11:44:16 EST
Verified.

Ok.  Jan Cholasta pointed me to check /etc/pki/ca-trust-source/ipa.p11-kit.



Version ::

ipa-client-4.1.0-16.el7.x86_64

Results ::

So, between successful log entries in comment #7 and seeing this file in place, this is verified.

[root@rhel7-2 ~]# ls -ld /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3566 Jan 27 13:24 /etc/pki/ca-trust/source/ipa.p11-kit
Comment 10 errata-xmlrpc 2015-03-05 05:10:01 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.