Bug 1321092 - Installers fail when there are multiple versions of the same certificate
Summary: Installers fail when there are multiple versions of the same certificate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks: 1324060
TreeView+ depends on / blocked
 
Reported: 2016-03-24 16:08 UTC by Petr Vobornik
Modified: 2016-11-04 05:52 UTC (History)
6 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1324060 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:52:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-03-24 16:08:43 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5720

If there are multiple versions of the same certificate (e.g. before and after renewal) coming from the same or different sources (CA certificates installed in IPA, user-provided certificates, etc.), some installers may fail with NSS error. This has been observed for `ipa-replica-prepare` ([https://www.redhat.com/archives/freeipa-users/2015-April/msg00189.html link]), but other installers are affected as well:
{{{
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
    self.ask_for_options()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 276, in ask_for_options
    options.http_cert_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 176, in load_pkcs12
    host_name=self.replica_fqdn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 785, in load_pkcs12
    nss_cert = x509.load_certificate(cert, x509.DER)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate
    return nss.Certificate(buffer(data))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
}}}

This happens because we sometimes use `certutil -L -n -r` to get a DER-encoded certificate from a NSS database, and when there are multiple versions of that certificate, `certutil` returns the corresponding DER blobs concatenated, which other components are then unable to parse.
Comment 2 Mike McCune 2016-03-28 22:43:24 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 8 Abhijeet Kasurde 2016-08-04 11:59:29 UTC 
Verified using IPA version ::
ipa-server-4.4.0-4.el7.x86_64

Verified using automation.
Comment 10 errata-xmlrpc 2016-11-04 05:52:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.