Bug 1129730 - CA-less installation fails when the CA cert has an empty subject
Summary: CA-less installation fails when the CA cert has an empty subject
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-13 14:38 UTC by Martin Kosek
Modified: 2015-03-05 10:13 UTC (History)
2 users (show)

Fixed In Version: ipa-4.1.0-0.1.alpha1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:13:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-08-13 14:38:25 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4477

My testing CA has an empty subject. When used in a CA-less installation, IPA fails to add it to LDAP. Most likely a regression in #3259.

This should be either allowed, or rejected early with a better error message.

{{{
 ...
  [39/39]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Unexpected error - see /var/log/ipaserver-install.log for details:
InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax.
}}}

Fro debugging I added a log call with the entry being added, here's the output along with the exception:
{{{
2014-08-07T12:05:18Z DEBUG CA cert entry: LDAPEntry(ipapython.dn.DN('cn=CA 1,cn=certificates,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), {u'ipaKeyExtUsage': ['1.3.6.1.5.5.7.3.1'], u'cn': ['CA 1'], u'objectClass': ['ipaCertificate', 'pkiCA', 'ipaKeyPolicy'], u'ipaCertIssuerSerial': [';1'], u'ipaPublicKey': ['0\x81\x9f...\x02\x03\x01\x00\x01'], u'cACertificate;binary': ["0\x82\x01\xea0...\x8c\x89"], u'ipaKeyTrust': ['trusted'], u'ipaCertSubject': [''], u'ipaConfigString': ['compatCA']})
2014-08-07T12:05:18Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 640, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 1117, in main
    ds.enable_ssl()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 353, in enable_ssl
    self.start_creation(runtime=10)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 716, in __upload_ca_cert
    config_compat=self.master_fqdn is None)

  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 384, in put_ca_cert_nss
    config_ipa, config_compat)

  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 240, in put_ca_cert
    config_ipa=config_ipa, config_compat=config_compat)

  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 155, in add_ca_cert
    ldap.add_entry(entry)

  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1586, in add_entry
    self.conn.add_s(entry.dn, attrs.items())

  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)

  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1183, in error_handler
    raise errors.InvalidSyntax(attr=info)

2014-08-07T12:05:18Z DEBUG The ipa-server-install command failed, exception: InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax.
}}}

Comment 3 Kaleem 2015-01-22 07:07:02 UTC
Verified.

IPA Version:
============
[root@dhcp207-214 ~]# rpm -q ipa-server
ipa-server-4.1.0-15.el7.x86_64
[root@dhcp207-214 ~]# 


[root@dhcp207-214 nssdb]# ipa-server-install --http-cert-file /root/nssdb/server.p12 --http-pin xxxxxxxx --dirsrv-cert-file /root/nssdb/server.p12 --dirsrv-pin xxxxxxxx --ca-cert-file /root/nssdb/root.pem

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: yes

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [dhcp207-214.testrelm.test]: 

Warning: skipping DNS resolution of host dhcp207-214.testrelm.test
The domain name has been determined based on the host name.

Please confirm the domain name [testrelm.test]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [TESTRELM.TEST]: 
CA certificate  in /root/nssdb/server.p12 is not valid: has empty subject
[root@dhcp207-214 nssdb]#

Comment 5 errata-xmlrpc 2015-03-05 10:13:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html


Note You need to log in before you can comment on or make changes to this bug.