Red Hat Bugzilla – Bug 1321652
ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes
Last modified: 2017-08-01 05:37:23 EDT
Description of problem: A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this -> Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below -> NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US" The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point -> [IPA installer log] 2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 [Apache error log] [Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US' However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64. The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py -> 1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2. Edit installutils.py and look for the following code at line 390 -> 389 if quotes: 390 newfile.append('%s%s"%s"\n' % (directive,separator, value)) [Change line 390 to]: newfile.append('%s%s\'%s\'\n' % (directive,separator, value)) This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU -> # diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py --- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig 2016-03-23 16:44:52.627394610 -0700 +++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2016-03-24 13:20:34.058402844 -0700 @@ -387,7 +387,7 @@ valueset = True if value is not None: if quotes: - newfile.append('%s%s"%s"\n' % (directive, separator, value)) + newfile.append('%s%s\'%s\'\n' % (directive, separator, value)) else: newfile.append('%s%s%s\n' % (directive, separator, value)) else: With the change, 'NSSNickname' in nss.conf now looks like this post-install -> # grep NSSNickname /etc/httpd/conf.d/nss.conf NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5809
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4d994bee60560438178ad9f0215f611ca60e32c3 https://fedorahosted.org/freeipa/changeset/ee96384c3ed5d93c8042e05461253e0c2ed5f721 ipa-4-4: https://fedorahosted.org/freeipa/changeset/a6833222ff797ac615a2a41d4845a32d286e1001 https://fedorahosted.org/freeipa/changeset/aed346a3592beb0be95e7d449b34285252bd449c
Verified on: ipa-server-4.5.0-9.el7.x86_64 Please see logs attached.
Created attachment 1284415 [details] Bug 1321652 logs
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304