Bug 1321652 - ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes
Summary: ipa-server-install fails when using external certificates that encapsulate RD...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-28 19:01 UTC by Marco Rhodes
Modified: 2019-10-10 11:41 UTC (History)
4 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:


Attachments (Terms of Use)
Bug 1321652 logs (3.54 KB, text/plain)
2017-06-02 11:55 UTC, Michal Reznik
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Marco Rhodes 2016-03-28 19:01:25 UTC
Description of problem:
A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this -> 

Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com

When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below -> 

NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US"

The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point -> 

[IPA installer log]

2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1

[Apache error log]

[Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US'


However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64. 

The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py ->

 1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py

 2. Edit installutils.py and look for the following code at line 390 ->

    389  if quotes:
    390      newfile.append('%s%s"%s"\n' % (directive,separator, value))

    [Change line 390 to]:

             newfile.append('%s%s\'%s\'\n' % (directive,separator, value))


This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU -> 

# diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 
--- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig	2016-03-23 16:44:52.627394610 -0700
+++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py	2016-03-24 13:20:34.058402844 -0700
@@ -387,7 +387,7 @@
             valueset = True
             if value is not None:
                 if quotes:
-                    newfile.append('%s%s"%s"\n' % (directive, separator, value))
+                    newfile.append('%s%s\'%s\'\n' % (directive, separator, value))
                 else:
                     newfile.append('%s%s%s\n' % (directive, separator, value))
         else:


With the change, 'NSSNickname' in nss.conf now looks like this post-install -> 

# grep NSSNickname /etc/httpd/conf.d/nss.conf 
NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'

Comment 2 Petr Vobornik 2016-04-13 14:16:53 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5809

Comment 6 Michal Reznik 2017-06-02 11:54:35 UTC
Verified on:
ipa-server-4.5.0-9.el7.x86_64

Please see logs attached.

Comment 7 Michal Reznik 2017-06-02 11:55:57 UTC
Created attachment 1284415 [details]
Bug 1321652 logs

Comment 8 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.