1282977 – IPA installation fails with external PKI CA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1282977 - IPA installation fails with external PKI CA

Summary: IPA installation fails with external PKI CA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	6.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-17 23:32 UTC by Endi Sukma Dewata
Modified:	2016-05-11 00:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pki-core-9.0.3-46.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1282892
Environment:
Last Closed:	2016-05-11 00:32:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
pki-core-9.0.3-bz1282977.patch (37.09 KB, patch) 2016-01-15 21:58 UTC, Endi Sukma Dewata	no flags	Details \| Diff
pki-core-9.0.3-bz1282977-1.patch (15.74 KB, patch) 2016-01-19 22:37 UTC, Endi Sukma Dewata	no flags	Details \| Diff
pki-core-9.0.3-bz1282977-2.patch (21.67 KB, patch) 2016-01-19 22:38 UTC, Endi Sukma Dewata	no flags	Details \| Diff
pki server setup for verification (29.50 KB, text/plain) 2016-01-25 17:10 UTC, Scott Poore	no flags	Details
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0909	0	normal	SHIPPED_LIVE	pki-core bug fix update	2016-05-10 22:51:49 UTC

Description Endi Sukma Dewata 2015-11-17 23:32:08 UTC

+++ This bug was initially created as a clone of Bug #1282892 +++

Description of problem:
On RHEL 6.7 when installing PKI with external CA certificate pkisilent will generate system certificates that are signed with a wrong key. This is causing IPA installation to fail.

How reproducible:
Consistently.

Steps to Reproduce:
1. Prepare an external CA.
2. Install IPA with external CA on RHEL 6.7: ipa-server-install -U -a Secret123 -p Secret123 -r EXAMPLE --external-ca
3. Sign the /root/ipa.csr using the external CA.
4. Continue IPA installation: ipa-server-install -p Secret123 --external_cert_file=/root/ipa.crt --external_ca_file=/root/external-ca.crt

Actual results:
IPA installation fails.

Expected results:
IPA installation should complete successfully.

IPA installation error messages from /var/log/ipaserver-install.log:

2015-11-17T22:45:25Z DEBUG args=/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-hSIl_m -r /ca/agent/ca/profileReview?requestId=6 server.example.com:9443
2015-11-17T22:45:25Z DEBUG stdout=Subject: CN=server.example.com,O=EXAMPLE
Issuer : CN=Certificate Authority,O=EXAMPLE

2015-11-17T22:45:25Z DEBUG stderr=GET /ca/agent/ca/profileReview?requestId=6 HTTP/1.0^M
^M
port: 9443
addr='server.example.com'
family='10'
Called mygetclientauthdata - nickname = ipa-ca-agent
   mygetclientauthdata - cert = f60c60
   mygetclientauthdata - privkey = f9d650
exit after PR_Write bigBuf with error -12195:

2015-11-17T22:45:25Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 973, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 969, in __issue_ra_cert
    (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))

  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 316, in run
    raise CalledProcessError(p.returncode, args)

2015-11-17T22:45:25Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-hSIl_m -r /ca/agent/ca/profileReview?requestId=6 server.example.com:9443' returned non-zero exit status 4

The certificate chain seems to be broken:

$ certutil -L -d /var/lib/pki-ca/alias/
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
CA Signing Certificate - EXAMPLE                             CT,c,
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

$ certutil -O -d /var/lib/pki-ca/alias/ -n "caSigningCert cert-pki-ca"
"CA Signing Certificate - EXAMPLE" [CN=CA Signing Certificate,O=EXAMPLE]

  "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=EXAMPLE.TEST]

$ certutil -O -d /var/lib/pki-ca/alias/ -n "ocspSigningCert cert-pki-ca"
"ocspSigningCert cert-pki-ca" [CN=OCSP Subsystem,O=EXAMPLE.TEST]

Installed packages:

pki-selinux-9.0.3-43.el6.noarch
pki-java-tools-9.0.3-43.el6.noarch
pki-util-9.0.3-43.el6.noarch
pki-native-tools-9.0.3-43.el6.x86_64
pki-common-9.0.3-43.el6.noarch
pki-ca-9.0.3-43.el6.noarch
pki-setup-9.0.3-43.el6.noarch
pki-symkey-9.0.3-43.el6.x86_64
pki-silent-9.0.3-43.el6.noarch
ipa-client-3.0.0-47.el6.x86_64
ipa-server-3.0.0-47.el6.x86_64
ipa-python-3.0.0-47.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-47.el6.x86_64
ipa-server-selinux-3.0.0-47.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch

Comment 5 Endi Sukma Dewata 2016-01-15 21:58:14 UTC

Created attachment 1115299 [details]
pki-core-9.0.3-bz1282977.patch

The problem is actually caused by DN encoding mismatch (bug #1151147) between Dogtag 10 on Fedora and IPA on RHEL 6.

Comment 6 Christina Fu 2016-01-18 19:14:21 UTC

Comment on attachment 1115299 [details]
pki-core-9.0.3-bz1282977.patch

There are two fixes in this patch:
1. port of https://git.fedorahosted.org/cgit/pki.git/commit/?id=5bbd06e6e77729c63d65b77445f71f63ea0cdd1f
from https://bugzilla.redhat.com/show_bug.cgi?id=1151147
2. additional code that handles duplicated key generation

this first comment is for "1" above.  It seems like a straightforward port except in CertUtil.java where you added the same code change from non-selfsign under selfsign.
I don't think in selfsign case the encoding issue will ever occur.

Review for "2" will follow later.

Comment 7 Christina Fu 2016-01-19 01:55:59 UTC

Comment on attachment 1115299 [details]
pki-core-9.0.3-bz1282977.patch

Regarding my previous comment for issue 1, Endi explained that without the same code under "selfsign" it somehow doesn't work even though in logic selfsign really should not have such issue.  The patch provided for 1151147 worked without such addition though.  There might be differences between the two branches.
Since the additional code should not change the behavior for worse, I'm okay with this part of the patch.

Regarding issue 2.  It seems like the main fix is the line
"       if (hasChanged) {"
before keys are generated.
I'm not sure how hasChanged have to do with whether keys need to be generated or not. Would there be a case when hasChanged is false but keys need to be generated (e.g. maybe if defaults are not changed on that panel?)?
I'm asking Endi to test out an installation with the wizard just to be sure.

I prefer the fix for two issues (1. the port for DN encoding 2. the fix for duplicated keygen) to be in two complete separate patches.
At this point, ACK on fix for issue 1, while 2 pending test result

Comment 8 Endi Sukma Dewata 2016-01-19 22:37:44 UTC

Created attachment 1116404 [details]
pki-core-9.0.3-bz1282977-1.patch

Comment 9 Endi Sukma Dewata 2016-01-19 22:38:17 UTC

Created attachment 1116405 [details]
pki-core-9.0.3-bz1282977-2.patch

Comment 10 Endi Sukma Dewata 2016-01-19 23:03:43 UTC

As discussed over IRC, the "hasChanged" will be true when the key properties are changed in the SizePanel. This will happen in the following cases:
* When the panel is visited for the first time (either using pkisilent or manually), the panel will update the values of the key properties. Some of these properties such as preop.cert.signing.keytype are undefined initially so it will be considered as a change.
* If the user visits the panel again and enters different property values, it will also be considered as a change.
The key property change will trigger the key generation. So now under normal operations the key generation will happen only once, thus removing the duplicate keys.

My tests indicate that the keys are generated as expected with pkisilent and manual operation. The patch was ACKed by Christina and has been split into two separate files as requested.

Comment 12 Scott Poore 2016-01-25 17:09:12 UTC

Verified.

Version ::

pki-ca-9.0.3-46.el6.noarch
ipa-server-3.0.0-50.el6.x86_64


Results ::


################# PKI Server setup on RHEL7.2.z host #####################

See attachment pki_setup.txt for how I setup the server I'm signing the ipa csr with.

389-ds-base-1.3.4.0-21.el7_2.x86_64
pki-ca-10.2.5-6.el7.noarch

####################### First step for external-ca ##########################


[root@rhel6-1 ~]# ipa-server-install -U -a Secret123 -p Secret123 -r EXAMPLE --external-ca

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

The domain name has been determined based on the host name.


The IPA Master Server will be configured with:
Hostname:      rhel6-1.example.com
IP address:    192.168.122.61
Domain name:   example.com
Realm name:    EXAMPLE

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/4]: creating certificate server user
  [2/4]: creating pki-ca instance
  [3/4]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate

######################## Sign request and export PKI CA cert chain ###########

[root@rhel7-1 pki]# pki cert-request-profile-show caCACert --output testca1.xml
------------------------------------------
Enrollment Template for Profile "caCACert"
------------------------------------------
-----------------------------------------------------
Saved enrollment template for caCACert to testca1.xml
-----------------------------------------------------

[root@rhel7-1 pki]# vim testca1.xml 

# Paste the ipa.csr contents into the cert_request
# set cert_request_type to pkcs10

[root@rhel7-1 pki]# cat testca1.xml 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caCACert</ProfileID>
    <Renewal>false</Renewal>
    <SerialNumber></SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>certReqInputImpl</ClassID>
        <Name>Certificate Request Input</Name>
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            <Descriptor>
                <Syntax>cert_request_type</Syntax>
                <Description>Certificate Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICdzCCAV8CAQAwMjEQMA4GA1UEChMHRVhBTVBMRTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwf4eO9Bn8R1c2aFsInhNYaBt
g1oIOYPSVSNEP4Hv3ye19AlA+HJMbwY/zrJhzYyCqEBxtdtvKh6c/VMj7oB942Z9fHjTAYS4UE3P
U/FyK2tCjz/8jRWjfhuqkMVqTb+neMqcfXuBjk7MqdlbitjYD8Wtin+6UipdAjyeESFVJZSm7ZnV
OmV8UUuAyzdfKZ5Ny1vBlWIa1ax8g5PfAgwwmRzTipqyH5oposDJylg1nMecrWUEXU+2pNaBvn2X
u0xgkLFu7mjMykhlxkVGh3luOV74aS3Ei1RAOAqQv8AyI1cIawDAGEhF09dZOdei4pEvuJhm6iYm
WRfyU8QdrJiOQwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADFWGoTLxQghqp3Hc5aQOfEIW+F4
3iC4xsRckcwEWo8or51HRE1M9+gf07d1Qk2cLY178ROBqC0BYE4NI0j37BnWzdcoxnTWAxN/oObH
ocqJjNK/DGEcgJx40jP0gOGKIlJoJVg9CPffAGT3eWBramUlfwDeDEo6irRYK84NiNVIJVxYdpJN
MHlYV1jfLRDgtNWxB2/PafHGvWP0mloUSchOS53JB5lrNVNDRteqGVjsfQTeQrap5kRYXHda73Un
2tUD2RWk3OFWENGqxpa4vgQt+i5RYUM3yJGLpbxdaOGWPAHToYIkhNzGR2u8TZEqMx15j0HXYRZv
HXNZRHlcfok=
-----END CERTIFICATE REQUEST-----
            </Value>
            <Descriptor>
                <Syntax>cert_request</Syntax>
                <Description>Certificate Request</Description>
            </Descriptor>
        </Attribute>
    </Input>
    <Input id="i2">
        <ClassID>submitterInfoInputImpl</ClassID>
        <Name>Requestor Information</Name>
        <Attribute name="requestor_name">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Name</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_email">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Email</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_phone">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Phone</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

[root@rhel7-1 pki]# pki -c Secret123 -d /root/.dogtag/pki-tomcat/ca/alias/ -n caadmin ca-cert-request-review 7 --action approve

WARNING: UNTRUSTED ISSUER encountered on 'CN=rhel7-1.example.com,O=EXTERNAL' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXTERNAL'
Import CA certificate (Y/n)? y

CA server URI [http://rhel7-1.example.com:8080/ca]: 
------------------------------
Approved certificate request 7
------------------------------
  Request ID: 7
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x6


[root@rhel7-1 pki]# pki ca-cert-show 0x6 --output ipa.crt
-----------------
Certificate "0x6"
-----------------
  Serial Number: 0x6
  Issuer: CN=CA Signing Certificate,O=EXTERNAL
  Subject: CN=Certificate Authority,O=EXAMPLE
  Status: VALID
  Not Before: Mon Jan 25 09:34:06 CST 2016
  Not After: Mon Apr 25 10:04:06 CDT 2016


[root@rhel7-1 pki]# scp ipa.crt root@rhel6-1:/root
The authenticity of host 'rhel6-1 (192.168.122.61)' can't be established.
RSA key fingerprint is a9:fa:80:65:98:ab:ee:5e:d0:67:95:13:0b:41:49:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel6-1,192.168.122.61' (RSA) to the list of known hosts.
root@rhel6-1's password: 
ipa.crt                                                              100% 1308     1.3KB/s   00:00    

###### Exporting PKI CA Cert chain ###########

[root@rhel7-1 pki]# certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/ -n "External CA - EXTERNAL" -a > pki_ca_certs.asc

[root@rhel7-1 pki]# certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/ -n "CA Signing Certificate - EXTERNAL" -a >> pki_ca_certs.asc

[root@rhel7-1 pki]# scp pki_ca_certs.asc root@rhel6-1:/root
root@rhel6-1's password: 
pki_ca_certs.asc                                                     100% 2228     2.2KB/s   00:00    


##################### Finish IPA install ################################

[root@rhel6-1 ~]# ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE --external_cert_file=/root/ipa.crt --external_ca_file=/root/pki_ca_certs.asc 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.


The IPA Master Server will be configured with:
Hostname:      rhel6-1.example.com
IP address:    192.168.122.61
Domain name:   example.com
Realm name:    EXAMPLE

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
  [3/20]: disabling nonces
  [4/20]: creating CA agent PKCS#12 file in /root
  [5/20]: creating RA agent certificate database
  [6/20]: importing CA chain to RA certificate database
  [7/20]: fixing RA database permissions
  [8/20]: setting up signing cert profile
  [9/20]: set up CRL publishing
  [10/20]: set certificate subject base
  [11/20]: enabling Subject Key Identifier
  [12/20]: setting audit signing renewal to 2 years
  [13/20]: configuring certificate server to start on boot
  [14/20]: restarting certificate server
  [15/20]: requesting RA certificate from CA
  [16/20]: issuing RA agent certificate
  [17/20]: adding RA agent as a trusted user
  [18/20]: configure certificate renewals
  [19/20]: configure Server-Cert certificate renewal
  [20/20]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.kXrM4p.db
Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Comment 13 Scott Poore 2016-01-25 17:10:08 UTC

Created attachment 1118128 [details]
pki server setup for verification

Comment 14 Scott Poore 2016-01-25 20:45:09 UTC

Moving back to ON_QA as I found my verification in comment #12 isn't entirely valid here.

Comment 15 Scott Poore 2016-01-26 01:51:32 UTC

Verification with standalone root PKI server.

Version ::

On RHEL7 PKI server:
pki-ca-10.2.5-6.el7.noarch

On RHEL6 IPA server:
pki-ca-9.0.3-46.el6.noarch
ipa-server-3.0.0-50.el6.x86_64

Results ::


[root@rhel7-2 ~]# setup-ds.pl --silent\
>  General.FullMachineName=`hostname`\
>  General.SuiteSpotUserID=nobody\
>  General.SuiteSpotGroup=nobody\
>  slapd.ServerPort=389\
>  slapd.ServerIdentifier=pki-tomcat\
>  slapd.Suffix=dc=example,dc=com\
>  slapd.RootDN="cn=Directory Manager"\
>  slapd.RootDNPwd=Secret123
Your new DS instance 'pki-tomcat' was successfully created.
Exiting . . .
Log file is '/tmp/setupVAPd1X.log'


[root@rhel7-2 ~]# cat ca.cfg
[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=PKIDOMAIN
pki_token_password=Secret123


[root@rhel7-2 ~]# pkispawn -v -f ca.cfg -s CA
Log file: /var/log/pki/pki-ca-spawn.20160125193537.log
Loading deployment configuration from ca.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
...truncated...
    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      Administrator's certificate nickname:
            caadmin
      Administrator's certificate database:
            /root/.dogtag/pki-tomcat/ca/alias

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://rhel7-2.example.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================



[root@rhel7-2 ~]# pki -c Secret123 client-init
------------------
Client initialized
------------------


[root@rhel7-2 ~]# pki -c Secret123 client-cert-import --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password Secret123


[root@rhel7-2 ~]# pki -d ~/.dogtag/pki-tomcat/ca/alias -C ~/.dogtag/pki-tomcat/ca/password.conf -n caadmin cert
WARNING: UNTRUSTED ISSUER encountered on 'CN=rhel7-2.example.com,O=PKIDOMAIN' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=PKIDOMAIN'
Import CA certificate (Y/n)? y
CA server URI [http://rhel7-2.example.com:8080/ca]: 
Commands:
 cert-find               Find certificates
 cert-show               Show certificate
 cert-revoke             Revoke certificate
 cert-hold               Place certificate on-hold
 cert-release-hold       Place certificate off-hold
 cert-request-find       Find certificate requests
 cert-request-show       Show certificate request
 cert-request-submit     Submit certificate request
 cert-request-review     Review certificate request
 cert-request-profile-find List Enrollment templates
 cert-request-profile-show Get Enrollment template


[root@rhel7-2 ~]# pki cert-request-profile-show caCACert --output testca1.xml
------------------------------------------
Enrollment Template for Profile "caCACert"
------------------------------------------
-----------------------------------------------------
Saved enrollment template for caCACert to testca1.xml
-----------------------------------------------------
[root@rhel7-2 ~]# vim testca1.xml 

[root@rhel7-2 ~]# cat testca1.xml 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caCACert</ProfileID>
    <Renewal>false</Renewal>
    <SerialNumber></SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>certReqInputImpl</ClassID>
        <Name>Certificate Request Input</Name>
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            <Descriptor>
                <Syntax>cert_request_type</Syntax>
                <Description>Certificate Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICeTCCAWECAQAwNDESMBAGA1UEChMJSVBBRE9NQUlOMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC07a/HZi7zu5o8W9dKgsVT
KGzoB2znv63Y4GPHw+1sZZICCAYvD2sTJH1iMlFK5EucE4mVGtkXWD9h4ny0ac0GqzffJn8qy39Q
4/wnXoo8DYXNdNrCU2AUP0hMEz0yParJcvEnFOVzasFkB7HPW26d68xTwWLzzHad3AaYA3E6ZF5d
lbW9MTlkY1HR90i1JN1hY2qWCGnF1/1IQCX4Rn2SoTgjlnFzjP+MNsrvfI6GEgbCFM1qC2Hw8fMJ
5PUVnQhQnt9Q8RWwF6LAZE+xpVusXiVVE3kkqmi5JutFRhYW3B1jWMGb9E4ttgdnJ7iwxESi2GII
ZTJeuB0tDz7nr1sxAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEADiZvzgSmDpIPM9kQPPYE4V8B
TGCsSatCaNjJmMEq2ihoCWpBcbpcQbrW0cdLf0IRXO9fCTNOk2VoDacn2jU2q5IISioutTPUqUfP
4W2apVXCCABpLC2Xtffr4NoLYtb4GJYfj2jrQ5sEpbZribBZL11KxmzE9uXnCMcUYVInXULw0jVJ
NoPcWPmNkDqFSJ+Nw/UvbhBPS6NpM31tsoKQ6iTf12U1lq8F/mrVO2C7eiMlzEpI6D9w9jwYb6MM
s/QdUm/jfBxtikGixYNgfK+J6+KjmQLBNeAtpfUWFWQgagITCOfvRgaoqi/2xCTs8HWRcw9UqJwi
ccxCeEihzs1r4g==
-----END CERTIFICATE REQUEST-----
            </Value>
            <Descriptor>
                <Syntax>cert_request</Syntax>
                <Description>Certificate Request</Description>
            </Descriptor>
        </Attribute>
    </Input>
    <Input id="i2">
        <ClassID>submitterInfoInputImpl</ClassID>
        <Name>Requestor Information</Name>
        <Attribute name="requestor_name">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Name</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_email">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Email</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="requestor_phone">
            <Value></Value>
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Requestor Phone</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>
[root@rhel7-2 ~]# 



[root@rhel7-2 ~]# pki -c Secret123 -d /root/.dogtag/pki-tomcat/ca/alias/ -n caadmin ca-cert-request-submit testca1.xml 
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 7
  Type: enrollment
  Request Status: pending
  Operation Result: success
[root@rhel7-2 ~]# pki -c Secret123 -d /root/.dogtag/pki-tomcat/ca/alias/ -n caadmin ca-cert-request-review 7 --action approve
------------------------------
Approved certificate request 7
------------------------------
  Request ID: 7
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x7
[root@rhel7-2 ~]# pki ca-cert-show 0x7 --output ipa.crt
-----------------
Certificate "0x7"
-----------------
  Serial Number: 0x7
  Issuer: CN=CA Signing Certificate,O=PKIDOMAIN
  Subject: CN=Certificate Authority,O=IPADOMAIN
  Status: VALID
  Not Before: Mon Jan 25 19:38:07 CST 2016
  Not After: Fri Jan 25 19:36:06 CST 2036


[root@rhel7-2 ~]# certutil -d /root/.dogtag/pki-tomcat/ca/alias/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caadmin                                                      u,u,u
CA Signing Certificate - PKIDOMAIN                           CT,c,


[root@rhel7-2 ~]# certutil -d /root/.dogtag/pki-tomcat/ca/alias/ -L -n "CA Signing Certificate - PKIDOMAIN"  -a > pki_ca_certs.asc


[root@rhel7-2 ~]# scp ipa.crt rhel6-2:/root
The authenticity of host 'rhel6-2 (192.168.122.62)' can't be established.
RSA key fingerprint is a9:fa:80:65:98:ab:ee:5e:d0:67:95:13:0b:41:49:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel6-2,192.168.122.62' (RSA) to the list of known hosts.
root@rhel6-2's password: 
ipa.crt                                                                 100% 1314     1.3KB/s   00:00    


[root@rhel7-2 ~]# scp pki_ca_certs.asc rhel6-2:/root
root@rhel6-2's password: 
Permission denied, please try again.
root@rhel6-2's password: 
pki_ca_certs.asc                                                        100% 1313     1.3KB/s   00:00    


[root@rhel6-2 ~]# ipa-server-install -a Secret123 -p Secret123 -r IPADOMAIN --external_cert_file=/root/ipa.crt --external_ca_file=/root/pki_ca_certs.asc

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.


The IPA Master Server will be configured with:
Hostname:      rhel6-2.example.com
IP address:    192.168.122.62
Domain name:   example.com
Realm name:    IPADOMAIN

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
  [3/20]: disabling nonces
  [4/20]: creating CA agent PKCS#12 file in /root
  [5/20]: creating RA agent certificate database
  [6/20]: importing CA chain to RA certificate database
  [7/20]: fixing RA database permissions
  [8/20]: setting up signing cert profile
  [9/20]: set up CRL publishing
  [10/20]: set certificate subject base
  [11/20]: enabling Subject Key Identifier
  [12/20]: setting audit signing renewal to 2 years
  [13/20]: configuring certificate server to start on boot
  [14/20]: restarting certificate server
  [15/20]: requesting RA certificate from CA
  [16/20]: issuing RA agent certificate
  [17/20]: adding RA agent as a trusted user
  [18/20]: configure certificate renewals
  [19/20]: configure Server-Cert certificate renewal
  [20/20]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.2FvhUp.db
Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Comment 17 errata-xmlrpc 2016-05-11 00:32:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0909.html

Note You need to log in before you can comment on or make changes to this bug.