1321092 – Installers fail when there are multiple versions of the same certificate

Bug 1321092 - Installers fail when there are multiple versions of the same certificate

Summary: Installers fail when there are multiple versions of the same certificate

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Keywords:	ZStream
Depends On:
Blocks:	1324060
TreeView+	depends on / blocked

Reported:	2016-03-24 16:08 UTC by Petr Vobornik
Modified:	2016-11-04 05:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Clones:	1324060 (view as bug list)
Environment:	(edit)
Last Closed:	2016-11-04 05:52:51 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-03-24 16:08:43 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5720

If there are multiple versions of the same certificate (e.g. before and after renewal) coming from the same or different sources (CA certificates installed in IPA, user-provided certificates, etc.), some installers may fail with NSS error. This has been observed for `ipa-replica-prepare` ([https://www.redhat.com/archives/freeipa-users/2015-April/msg00189.html link]), but other installers are affected as well:
{{{
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
    self.ask_for_options()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 276, in ask_for_options
    options.http_cert_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 176, in load_pkcs12
    host_name=self.replica_fqdn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 785, in load_pkcs12
    nss_cert = x509.load_certificate(cert, x509.DER)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate
    return nss.Certificate(buffer(data))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
}}}

This happens because we sometimes use `certutil -L -n -r` to get a DER-encoded certificate from a NSS database, and when there are multiple versions of that certificate, `certutil` returns the corresponding DER blobs concatenated, which other components are then unable to parse.

Comment 2 Mike McCune 2016-03-28 22:43:24 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 8 Abhijeet Kasurde 2016-08-04 11:59:29 UTC

Verified using IPA version ::
ipa-server-4.4.0-4.el7.x86_64

Verified using automation.

Comment 10 errata-xmlrpc 2016-11-04 05:52:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.