Bug 1365858 - ipa-ca-install fails on replica when IPA Master is installed without CA
Summary: ipa-ca-install fails on replica when IPA Master is installed without CA
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: ZStream
: 1403368 (view as bug list)
Depends On:
Blocks: 1366991 1358752 1410760
TreeView+ depends on / blocked
 
Reported: 2016-08-10 11:17 UTC by Abhijeet Kasurde
Modified: 2017-08-01 09:39 UTC (History)
10 users (show)

(edit) 
Using *ipa-ca-install* on an IdM replica fails when the Directory Server is not configured with LDAPS

Installing a certificate authority (CA) using the *ipa-ca-install* utility on an Identity Management (IdM) replica fails when the Directory Server on the replica is not configured with LDAPS (using the TLS protocol over port 636). The attempt fails with this error:

    [2/30]: configuring certificate server instance
    ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
    instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned non-zero exit status 1
    ...

Installing a replica in this situation is not possible. As a workaround, choose one of these options:

* Install the CA on the master server instead.
* Enable LDAPS on the replica manually before running *ipa-ca-install*.

To manually enable LDAPS on the replica:

1. Export the server certificate from the `/etc/httpd/alias` file:

   $ pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o temp.p12 -n 'ca1/replica'

Replace `ca1/replica` with the nickname of your certificate.

2. Remove the trust chain from certificate, because it was already imported:

a. Extract the private key:

    $ openssl pkcs12 -in temp.p12 -nocerts -nodes -out temp.key

b. Extract the public key:

    $ openssl pkcs12 -in temp.p12 -nokeys -clcerts -out temp.pem

c. Create a PKCS#12 file without the CA certificate:

    $ openssl pkcs12 -export -in temp.pem -inkey temp.key -out repl.p12 -name 'ca1/replica'

Replace `ca1/replica` with the nickname of your certificate.

3. Import the created certificate into the Directory Server's NSSDB database:

    $ pk12util -d /etc/dirsrv/slapd-EXAMPLE-COM -K '' -i repl.p12

4. Remove the temporary certificate files:

    $ rm -f temp.p12 temp.key temp.pem repl.p12

5. Create a file, `/tmp/enable_ssl.ldif`, with the following contents:

    dn: cn=encryption,cn=config
    changetype: modify
    replace: nsSSL3
    nsSSL3: off
    -
    replace: nsSSLClientAuth
    nsSSLClientAuth: allowed
    -
    replace: nsSSL3Ciphers
    nsSSL3Ciphers: default
  
    dn: cn=config
    changetype: modify
    replace: nsslapd-security
    nsslapd-security: on

6. Modify the LDAP configuration to enable SSL:

    $ ldapmodify -H "ldap://localhost" -D "cn=directory manager" -f /tmp/enable_ssl.ldif -w dm_password

Replace `dm_password` with your Directory Manager password.

7. Create a file, `/tmp/add_rsa.ldif`, with the following contents:

    dn: cn=RSA,cn=encryption,cn=config
    changetype: add
    objectclass: top
    objectclass: nsEncryptionModule
    cn: RSA
    nsSSLPersonalitySSL: ca1/replica
    nsSSLToken: internal (software)
    nsSSLActivation: on

Replace `ca1/replica` with the nickname of your certificate.

8. Add the entry to the LDAP:

    $ ldapadd -H "ldap://localhost" -D "cn=directory manager" -f /tmp/add_rsa.ldif -w dm_password

Replace `dm_password` with your Directory Manager password.

9. Remove the temporary files:

    $ rm -f /tmp/enable_ssl.ldif /tmp/add_rsa.ldif

10. Restart directory server:

    # systemctl restart dirsrv@EXAMPLE-COM.service

After following these steps, LDAPS is enabled, and you can successfuly run *ipa-ca-install* on the replica.
Clone Of:
: 1410760 (view as bug list)
(edit)
Last Closed: 2017-08-01 09:39:54 UTC

Attachments (Terms of Use)
console.log (9.85 KB, text/plain)
2016-08-10 11:19 UTC, Abhijeet Kasurde 		no flags Details
ipareplica1-pki-ca-spawn.20160810073829.log (30.11 KB, text/plain)
2016-08-10 11:19 UTC, Abhijeet Kasurde 		no flags Details
ipareplica1-ipareplica-conncheck.log (10.80 KB, text/plain)
2016-08-10 11:20 UTC, Abhijeet Kasurde 		no flags Details
ipareplica1-ipaclient-install.log (82.31 KB, text/plain)
2016-08-10 11:20 UTC, Abhijeet Kasurde 		no flags Details
ipareplica1-ipareplica-ca-install.log (18.34 KB, text/plain)
2016-08-10 11:21 UTC, Abhijeet Kasurde 		no flags Details
ipareplica1-ipareplica-install.log (3.97 MB, text/plain)
2016-08-10 11:22 UTC, Abhijeet Kasurde 		no flags Details
ipamaster1-ipaserver-install.log (2.64 MB, text/plain)
2016-08-10 11:23 UTC, Abhijeet Kasurde 		no flags Details
ipamaster1-ipaclient-install.log (65.30 KB, text/plain)
2016-08-10 11:24 UTC, Abhijeet Kasurde 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC
Red Hat Bugzilla 1358752 None CLOSED ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full 2019-05-20 14:36 UTC

Internal Trackers: 1358752

Description Abhijeet Kasurde 2016-08-10 11:17:31 UTC 
Description of problem:
Similar to BZ 1358752, when ipa-ca-install is triggered on replica server which is connected to IPA master with no CA then ipa-ca-install fails with pkispawn error. 

CA Installation on replica should warn user about non-existence of CA on IPA master server rather than proceeding with installation.

[root@ipareplica731301687 ~]# ipa server-role-find
-----------------------
12 server roles matched
-----------------------
  Server name: ipamaster731301687.testrelm.test
  Role name: CA server
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: CA server
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: DNS server
  Role status: enabled

  Server name: ipareplica731301687.testrelm.test
  Role name: DNS server
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: NTP server
  Role status: enabled

  Server name: ipareplica731301687.testrelm.test
  Role name: NTP server
  Role status: enabled

  Server name: ipamaster731301687.testrelm.test
  Role name: AD trust agent
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: AD trust agent
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: KRA server
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: KRA server
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: AD trust controller
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: AD trust controller
  Role status: absent
-----------------------------
Number of entries returned 12
-----------------------------
[root@ipareplica731301687 ~]# ipa-ca-install
Directory Manager (existing master) password:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/30]: creating certificate server user
  [2/30]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-5.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ipa-server without CA
2. Install ipa replica without CA
3. Trigger IPA CA installation on IPA Replica

Actual results:
ipa-ca-install fails with pkispawn error.

Expected results:
ipa-ca-install should warn user about non-existence of CA on IPA master server.
Comment 1 Abhijeet Kasurde 2016-08-10 11:19 UTC 
Created attachment 1189572 [details]
console.log
Comment 2 Abhijeet Kasurde 2016-08-10 11:19 UTC 
Created attachment 1189573 [details]
ipareplica1-pki-ca-spawn.20160810073829.log
Comment 3 Abhijeet Kasurde 2016-08-10 11:20 UTC 
Created attachment 1189574 [details]
ipareplica1-ipareplica-conncheck.log
Comment 4 Abhijeet Kasurde 2016-08-10 11:20 UTC 
Created attachment 1189576 [details]
ipareplica1-ipaclient-install.log
Comment 5 Abhijeet Kasurde 2016-08-10 11:21 UTC 
Created attachment 1189577 [details]
ipareplica1-ipareplica-ca-install.log
Comment 6 Abhijeet Kasurde 2016-08-10 11:22 UTC 
Created attachment 1189578 [details]
ipareplica1-ipareplica-install.log
Comment 7 Abhijeet Kasurde 2016-08-10 11:23 UTC 
Created attachment 1189579 [details]
ipamaster1-ipaserver-install.log
Comment 8 Abhijeet Kasurde 2016-08-10 11:24 UTC 
Created attachment 1189580 [details]
ipamaster1-ipaclient-install.log
Comment 10 Petr Vobornik 2016-08-17 16:53:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6226
Comment 12 Petr Vobornik 2016-08-25 16:41:15 UTC 
Bug 1358752 might cause failure later if this is fixed.
Comment 15 Jan Cholasta 2016-08-30 06:14:54 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/89de60c5d8ba64d619101a7498b8c4469b6e50ae
Comment 16 Martin Bašti 2016-09-02 07:44:27 UTC 
Fix above caused different issues

Reverted:

master:
https://fedorahosted.org/freeipa/changeset/dd02741896844a6e14d60f267d9b1cb27b039241/
Comment 18 Petr Vobornik 2016-09-19 16:47:47 UTC 
The patch for this bug was reverted because of bug 1377413
Comment 19 Jan Cholasta 2016-09-20 12:33:03 UTC 
Actually the patch was reverted because it caused the installer to crash, unless you hit https://fedorahosted.org/freeipa/ticket/4639 .

Because of bug 1377413 the *new* patch for this bug causes the installer to crash and thus cannot be merged upstream.
Comment 23 Martin Bašti 2017-01-05 09:22:53 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6f7d982fe2e2d2f042e85710b8d8d59167e5796f

Please wait for ipa-4-4 patch
Comment 24 Martin Bašti 2017-01-05 14:10:32 UTC 
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/cdb6ffb779b7e1e563494eb3234b2441ba74d692
Comment 26 Petr Vobornik 2017-01-05 15:59:56 UTC 
Removing blocking bug 1377413, code path of new fix doesn't trigger the issue.
Comment 28 Petr Vobornik 2017-01-13 17:23:41 UTC 
*** Bug 1403368 has been marked as a duplicate of this bug. ***
Comment 30 Michal Reznik 2017-05-17 13:20:21 UTC 
Verified on:

ipa-server-4.5.0-9.el7.x86_64
pki-ca-10.4.1-3.el7.noarch

1. Install IPA server 

[root@master ~]# ipa-server-install --ip-address F$(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit

2. Install CA-less replica 

[root@replica ~]# ipa-client-install -U --domain testrelm.test --realm TESTRELM.TEST -p admin -w XXX --server master.testrelm.test

[root@replica ~]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12 --http-cert-file=./replica.p12 --dirsrv-pin XXX --http-pin XXX -P admin -w XXX --no-pkinit

3. Promote IPA replica from CA-less to CA-full

[root@replica ~]# ipa-ca-install
Directory Manager (existing master) password:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: exporting Dogtag certificate store pin
  [3/29]: stopping certificate server instance to update CS.cfg
  [4/29]: backing up CS.cfg
  [5/29]: disabling nonces
  [6/29]: set up CRL publishing
  [7/29]: enable PKIX certificate path discovery and validation
  [8/29]: starting certificate server instance
  [9/29]: configure certmonger for renewals
  [10/29]: requesting RA certificate from CA
  [11/29]: setting up signing cert profile
  [12/29]: setting audit signing renewal to 2 years
  [13/29]: restarting certificate server
  [14/29]: publishing the CA certificate
  [15/29]: adding RA agent as a trusted user
  [16/29]: authorizing RA to modify profiles
  [17/29]: authorizing RA to manage lightweight CAs
  [18/29]: Ensure lightweight CAs container exists
  [19/29]: configure certificate renewals
  [20/29]: configure Server-Cert certificate renewal
  [21/29]: Configure HTTP to proxy connections
  [22/29]: restarting certificate server
  [23/29]: updating IPA configuration
  [24/29]: enabling CA instance
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: importing IPA certificate profiles
  [27/29]: adding default CA ACL
  [28/29]: adding 'ipa' CA entry
  [29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records

[root@master ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@replica ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Comment 31 errata-xmlrpc 2017-08-01 09:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.