1321652 – ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1321652 - ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes

Summary: ipa-server-install fails when using external certificates that encapsulate RD...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Michal Reznik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-28 19:01 UTC by Marco Rhodes
Modified:	2020-09-10 09:34 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.5.0-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Bug 1321652 logs (3.54 KB, text/plain) 2017-06-02 11:55 UTC, Michal Reznik	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Marco Rhodes 2016-03-28 19:01:25 UTC

Description of problem:
A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this -> 

Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com

When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below -> 

NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US"

The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point -> 

[IPA installer log]

2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1

[Apache error log]

[Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US'


However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64. 

The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py ->

 1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py

 2. Edit installutils.py and look for the following code at line 390 ->

    389  if quotes:
    390      newfile.append('%s%s"%s"\n' % (directive,separator, value))

    [Change line 390 to]:

             newfile.append('%s%s\'%s\'\n' % (directive,separator, value))


This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU -> 

# diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 
--- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig	2016-03-23 16:44:52.627394610 -0700
+++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py	2016-03-24 13:20:34.058402844 -0700
@@ -387,7 +387,7 @@
             valueset = True
             if value is not None:
                 if quotes:
-                    newfile.append('%s%s"%s"\n' % (directive, separator, value))
+                    newfile.append('%s%s\'%s\'\n' % (directive, separator, value))
                 else:
                     newfile.append('%s%s%s\n' % (directive, separator, value))
         else:


With the change, 'NSSNickname' in nss.conf now looks like this post-install -> 

# grep NSSNickname /etc/httpd/conf.d/nss.conf 
NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'

Comment 2 Petr Vobornik 2016-04-13 14:16:53 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5809

Comment 4 Martin Babinsky 2016-10-03 11:43:52 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/4d994bee60560438178ad9f0215f611ca60e32c3
https://fedorahosted.org/freeipa/changeset/ee96384c3ed5d93c8042e05461253e0c2ed5f721
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/a6833222ff797ac615a2a41d4845a32d286e1001
https://fedorahosted.org/freeipa/changeset/aed346a3592beb0be95e7d449b34285252bd449c

Comment 6 Michal Reznik 2017-06-02 11:54:35 UTC

Verified on:
ipa-server-4.5.0-9.el7.x86_64

Please see logs attached.

Comment 7 Michal Reznik 2017-06-02 11:55:57 UTC

Created attachment 1284415 [details]
Bug 1321652 logs

Comment 8 errata-xmlrpc 2017-08-01 09:37:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.