Bug 1360813 - ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
Summary: ipa-server-certinstall does not update all certificate stores and doesn't set...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
Depends On:
Blocks: 1389348
TreeView+ depends on / blocked
 
Reported: 2016-07-27 14:26 UTC by Thorsten Scherf
Modified: 2019-11-14 08:48 UTC (History)
10 users (show)

Fixed In Version: ipa-4.4.0-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1389348 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:39:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Thorsten Scherf 2016-07-27 14:26:28 UTC
Description of problem:

The tool ipa-server-certinstall can be used to install 3rd party certificates for the IPA embedded httpd and ldap service. 

The usage is outlined on this page (I already filed BZ #1360217 to get a proper description into our IdM guide):

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Here it says:

"""
The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate. 
"""

I recently encountered two issues when a PKCS#12 file is imported which has a new CA certificate chain included, which is not already known to IPA:

1) The certificate from the PKCS#12 file are imported into the NSS DB of the service for which the certificate is for (httpd and/or ldap) and the trust flag is properly set for the new service certificate, but trust flags for the CA certificates which are also part of the PKCS#12 file are not set at all. A manual change using certutil was required.  

2) While the CA certificates from the PKCS#12 file are imported into the NSS DB of the http and/or ldap service, they are not imported into the tomcat-pki NSS DB. As a result, tomcat fails to start when the ldap certificate has been replaces and when it's signed by a CA which is not known to IPA. I would expect that ipa-server-certinstall also updates this NSS DB. A manual import of the CA certificates fixed the issue.

I found an old ticket which talks about the same issue and which has been closed as FIXED, but I can still see the issues I outlined above in latest RHEL-7.2 ipa package:
 
https://fedorahosted.org/freeipa/ticket/3862


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.17

How reproducible:
Create a new CSR for IPA httpd and have it signed by a CA which is not known to IPA. Create a PKCS#12 file with the new certificate/key and add the full CA certificate chain to the PKCS#12 file. Then import the file using ipa-server-certinstall.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Petr Vobornik 2016-08-26 08:51:34 UTC
The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug 1349024 Not sure if the root cause is the same for 7.2.

In IPA 4.4  ipa-server-certinstall received following fixes:
- https://fedorahosted.org/freeipa/ticket/4785
- https://fedorahosted.org/freeipa/ticket/4786

Comment 2 Petr Vobornik 2016-08-26 11:25:10 UTC
The first part may be handled by first running `ipa-cacert-manage install` utility.

This bz should be used for extending `ipa-server-certinstall` to do just that.

Comment 4 Petr Vobornik 2016-08-26 11:34:16 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6263

Comment 5 Thorsten Scherf 2016-08-26 11:38:29 UTC
>The first part may be handled by first running `ipa-cacert-manage install` >utility.

The documentation [1] suggests that the tool ipa-server-certinstall takes care abour importing CA certificates which are unknown to IPA as long as you provide the full certificate chain in a PKCS#12 file.

[1] https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

"""The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate."""

>The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug >1349024 Not sure if the root cause is the same for 7.2.

This is even a different problem where the SELinux policy prevents the renewal of the CA subsystem certs. The issue I reported in 2) is about the CA certificate (from the PKCS#12 file) import into the Tomcat NSS DB. I do not see how any of the patches you mentioned, will fix this issue.

Comment 11 Jan Cholasta 2016-09-19 05:56:01 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0c4a91348a57ee941db94b31f59952eb1fcd4565

Comment 18 Florence Blanc-Renaud 2016-11-16 07:30:22 UTC
Hi Thorsten,
thanks for providing the procedure. I updated the upstream wiki with your instructions.

Comment 22 Michal Reznik 2017-05-17 14:04:24 UTC
Verified on:

ipa-server-4.5.0-9.el7.x86_64
pki-ca-10.4.1-3.el7.noarch


1. Install ipa-server

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U

2. Try ipa-server-certinstall without known CA

[root@master ~]# ipa-server-certinstall -d -w server.p12
Directory Manager password: 

Enter private key unlock password: 

Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.

3. Install CA certificate

[root@master ~]# ipa-cacert-manage -p XXX -n ca1 -t C,, install ca1.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

[root@master ~]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@master ~]#

[root@master ~]# ipa-certupdate
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json'
Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


4. Install the certificates

[root@master ~]# ipa-server-certinstall -d -w server.p12
Directory Manager password: 

Enter private key unlock password: 

The ipa-server-certinstall command was successful


5. Restart the services

[root@master ~]# systemctl restart httpd.service
[root@master ~]# systemctl restart dirsrv@TESTRELM-TEST.service
[root@master ~]# 


6. Check trust attributes

[root@master ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                              u,u,u
TESTRELM.TEST IPA CA                      CT,C,C

[root@master ~]# certutil -L -d /etc/dirsrv/slapd-TESTRELM-TEST/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                              u,u,u
TESTRELM.TEST IPA CA                      CT,C,C

[root@master ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
ca1                                                                            C,,  
Server-Cert cert-pki-ca                                            u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                      CTu,Cu,Cu

[root@master ~]# certutil -L -d /etc/ipa/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
TESTRELM.TEST IPA CA                                         CT,C,C

Comment 23 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.