Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1131710

Summary: RHEL7.1 ipa-server-install p11-kit errors
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: kengert, nkinder, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-22 18:08:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipa-server-install output none

Description Scott Poore 2014-08-19 21:26:30 UTC 
Description of problem:

When I run ipa-server-install, I see these error messages:

p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

Full ipa-server-install output and log will be added.  

When I check ipaserver-install.log, it appears that these messages are occurring after some of the certutil calls.

Version-Release number of selected component (if applicable):
ipa-server-3.3.3-28.el7.x86_64
nss-tools-3.15.4-7.el7_0.x86_64
p11-kit-0.20.4-1.el7.x86_64
ca-certificates-2013.1.95-71.el7.noarch

How reproducible:
always.


Steps to Reproduce:
1.  yum -y install ipa-server
2.  ipa-server-install


Actual results:
IPA seems to be installed but, I see the errors mentioned.  I'm not yet sure if this is affecting behavior afterwards.


Expected results:
No error messages seen during ipa-server-install.

Additional info:
Comment 2 Scott Poore 2014-08-19 21:33:05 UTC 
Created attachment 928513 [details]
ipa-server-install output
Comment 4 Scott Poore 2014-08-19 21:57:39 UTC 
I am also seeing the errors when I run ipa-replica-prepare on the IPA master:

Preparing replica for qe-blade-09.spoore08191228.test from ipaqavmd.spoore08191228.test
Creating SSL certificate for the Directory Server
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
Creating SSL certificate for the dogtag Directory Server
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-qe-blade-09.spoore08191228.test.gpg
Adding DNS records for qe-blade-09.spoore08191228.test
Using reverse zone IPREMOVED.in-addr.arpa.
The ipa-replica-prepare command was successful
Comment 5 Martin Kosek 2014-08-20 08:37:49 UTC 
This error is produced by the updated certutil (nss-tools component):

# /usr/bin/certutil -d /etc/httpd/alias -L
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

Certificate Nickname                                         Trust Attributes
...

It looks benign (at least for IdM), but should be looked at. Moving to the right component.
Comment 9 Kai Engert (:kaie) (inactive account) 2016-01-22 17:56:27 UTC 
I remember there was a time when we had an incosistency between ca-certificates and the p11-kit software.

We probbaly have fixed this already by updating packages.

Please let us know if you still can reproduce, otherwise I'd assume it's fixed.
Comment 10 Nathan Kinder 2016-01-22 18:08:53 UTC 
(In reply to Kai Engert (:kaie) from comment #9)
> Please let us know if you still can reproduce, otherwise I'd assume it's
> fixed.

I discussed this with Scott, and these errors are no longer occurring with the current RHEL 7.x packages.  Closing as CURRENTRELEASE.