Red Hat Bugzilla – Bug 1360813
ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
Last modified: 2017-08-01 05:39:54 EDT
Description of problem: The tool ipa-server-certinstall can be used to install 3rd party certificates for the IPA embedded httpd and ldap service. The usage is outlined on this page (I already filed BZ #1360217 to get a proper description into our IdM guide): https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Here it says: """ The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate. """ I recently encountered two issues when a PKCS#12 file is imported which has a new CA certificate chain included, which is not already known to IPA: 1) The certificate from the PKCS#12 file are imported into the NSS DB of the service for which the certificate is for (httpd and/or ldap) and the trust flag is properly set for the new service certificate, but trust flags for the CA certificates which are also part of the PKCS#12 file are not set at all. A manual change using certutil was required. 2) While the CA certificates from the PKCS#12 file are imported into the NSS DB of the http and/or ldap service, they are not imported into the tomcat-pki NSS DB. As a result, tomcat fails to start when the ldap certificate has been replaces and when it's signed by a CA which is not known to IPA. I would expect that ipa-server-certinstall also updates this NSS DB. A manual import of the CA certificates fixed the issue. I found an old ticket which talks about the same issue and which has been closed as FIXED, but I can still see the issues I outlined above in latest RHEL-7.2 ipa package: https://fedorahosted.org/freeipa/ticket/3862 Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.17 How reproducible: Create a new CSR for IPA httpd and have it signed by a CA which is not known to IPA. Create a PKCS#12 file with the new certificate/key and add the full CA certificate chain to the PKCS#12 file. Then import the file using ipa-server-certinstall. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug 1349024 Not sure if the root cause is the same for 7.2. In IPA 4.4 ipa-server-certinstall received following fixes: - https://fedorahosted.org/freeipa/ticket/4785 - https://fedorahosted.org/freeipa/ticket/4786
The first part may be handled by first running `ipa-cacert-manage install` utility. This bz should be used for extending `ipa-server-certinstall` to do just that.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6263
>The first part may be handled by first running `ipa-cacert-manage install` >utility. The documentation [1] suggests that the tool ipa-server-certinstall takes care abour importing CA certificates which are unknown to IPA as long as you provide the full certificate chain in a PKCS#12 file. [1] https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP """The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate.""" >The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug >1349024 Not sure if the root cause is the same for 7.2. This is even a different problem where the SELinux policy prevents the renewal of the CA subsystem certs. The issue I reported in 2) is about the CA certificate (from the PKCS#12 file) import into the Tomcat NSS DB. I do not see how any of the patches you mentioned, will fix this issue.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0c4a91348a57ee941db94b31f59952eb1fcd4565
Hi Thorsten, thanks for providing the procedure. I updated the upstream wiki with your instructions.
Verified on: ipa-server-4.5.0-9.el7.x86_64 pki-ca-10.4.1-3.el7.noarch 1. Install ipa-server [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U 2. Try ipa-server-certinstall without known CA [root@master ~]# ipa-server-certinstall -d -w server.p12 Directory Manager password: Enter private key unlock password: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed. 3. Install CA certificate [root@master ~]# ipa-cacert-manage -p XXX -n ca1 -t C,, install ca1.pem Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful [root@master ~]# kinit admin Password for admin@TESTRELM.TEST: [root@master ~]# [root@master ~]# ipa-certupdate trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/json Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful 4. Install the certificates [root@master ~]# ipa-server-certinstall -d -w server.p12 Directory Manager password: Enter private key unlock password: The ipa-server-certinstall command was successful 5. Restart the services [root@master ~]# systemctl restart httpd.service [root@master ~]# systemctl restart dirsrv@TESTRELM-TEST.service [root@master ~]# 6. Check trust attributes [root@master ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, ca1/server u,u,u TESTRELM.TEST IPA CA CT,C,C [root@master ~]# certutil -L -d /etc/dirsrv/slapd-TESTRELM-TEST/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, ca1/server u,u,u TESTRELM.TEST IPA CA CT,C,C [root@master ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ca1 C,, Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@master ~]# certutil -L -d /etc/ipa/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, TESTRELM.TEST IPA CA CT,C,C
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304