1031111 – ipa-client: add root CA to trust anchors if not already available

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1031111 - ipa-client: add root CA to trust anchors if not already available

Summary: ipa-client: add root CA to trust anchors if not already available

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-15 16:06 UTC by David Jaša
Modified:	2015-03-05 10:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:10:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description David Jaša 2013-11-15 16:06:34 UTC

Description of problem:
currently, when machine is added to FreeIPA/IdM domain and FreeIPAs certificate is not among trust anchors of the system, administrator has to add it (or the CA that signed IdM's CA) to the trust anchors manually. This task can be automated for administrator thanks to Shared System Certificates:
1. export freeipa CA (or some CA in its chain) to pem file
2. move/copy the pem file to /etc/pki/ca-trust/source/anchors/
3. call 'update-ca-trust'
In future releases of p11-kit, the procedure will be simplified by merging steps 2+3 to a single command: trust anchor /path/to/exported_cert.pem

Version-Release number of selected component (if applicable):
ipa-client-3.3.3-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. add host to ipa domain using ipa-client-install
2. look if IdM's CA cert (or it's root CA certificate) is installed
3.

Actual results:
CA anchor must be manually added (or be in store prior to ipa-client-install time)

Expected results:
CA anchor is added as part of ipa-client-install

Additional info:
This upstream ticket seems to deal with the same issue: https://fedorahosted.org/freeipa/ticket/3504

Comment 1 Martin Kosek 2013-11-17 21:05:30 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3504

Comment 2 Petr Viktorin (pviktori) 2013-11-20 12:17:23 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/4a0e91449e2b65304ae8d660d1a480200b1a13d3

Comment 4 Adam Williamson 2014-09-06 20:58:01 UTC

If this gets backported to RHEL 7, could we also get it for F19 and F20? I just ran into this today (writing a blog post about it ATM), it'd be nice for people not to have to work out / find out about the workaround.

Comment 5 Martin Kosek 2014-09-11 10:09:14 UTC

This commit is part of FreeIPA 4.0+ builds, as such it is only officially built for F21 and older. For older Fedoras (and EPEL-7 in future), we are maintaining a COPR repo:

http://copr.fedoraproject.org/coprs/mkosek/freeipa/

If this is not sufficient and the bug is blocking you, I would be open to backport the patch to older FreeIPA 3.3.x releases. Please file official Fedora bug request in that case.

Comment 7 Scott Poore 2015-01-27 19:47:00 UTC

Should I see /etc/pki/ca-trust/source/anchors/ipa-ca.crt?

I do not see this file at the end of ipa-client-install.

Version ::

ipa-client-4.1.0-16.el7.x86_64

This was installing client for master with self signed ca cert.

[root@rhel7-2 ~]# ipa-client-install
Discovery was successful!
Hostname: rhel7-2.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Tue Jan 27 19:19:00 2015 UTC
    Valid Until: Sat Jan 27 19:19:00 2035 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (rhel7-2.example.com) not found in DNS
DNS server record set to: rhel7-2.example.com -> 192.168.122.72
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-2 ~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C

[root@rhel7-2 ~]# ls -l /etc/pki/ca-trust/source/anchors/
total 0

From the logs, I see:

2015-01-27T19:24:01Z DEBUG Adding CA certificates to the IPA NSS database.
2015-01-27T19:24:01Z DEBUG Starting external process
2015-01-27T19:24:01Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C'
2015-01-27T19:24:01Z DEBUG Process finished, return code=0
2015-01-27T19:24:01Z DEBUG stdout=
2015-01-27T19:24:01Z DEBUG stderr=
2015-01-27T19:24:01Z DEBUG Starting external process
2015-01-27T19:24:01Z DEBUG args='/usr/bin/update-ca-trust'
2015-01-27T19:24:02Z DEBUG Process finished, return code=0
2015-01-27T19:24:02Z DEBUG stdout=
2015-01-27T19:24:02Z DEBUG stderr=
2015-01-27T19:24:02Z INFO Systemwide CA database updated.
2015-01-27T19:24:02Z DEBUG Attempting to add CA certificates to the default NSS database.
2015-01-27T19:24:02Z DEBUG Starting external process
2015-01-27T19:24:02Z DEBUG args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C'
2015-01-27T19:24:02Z DEBUG Process finished, return code=0
2015-01-27T19:24:02Z DEBUG stdout=
2015-01-27T19:24:02Z DEBUG stderr=
2015-01-27T19:24:02Z INFO Added CA certificates to the default NSS database.

Is this expected behavior?

Comment 8 Scott Poore 2015-01-28 16:44:16 UTC

Verified.

Ok.  Jan Cholasta pointed me to check /etc/pki/ca-trust-source/ipa.p11-kit.



Version ::

ipa-client-4.1.0-16.el7.x86_64

Results ::

So, between successful log entries in comment #7 and seeing this file in place, this is verified.

[root@rhel7-2 ~]# ls -ld /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3566 Jan 27 13:24 /etc/pki/ca-trust/source/ipa.p11-kit

Comment 10 errata-xmlrpc 2015-03-05 10:10:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.