Red Hat Bugzilla – Bug 1427897
different behavior regarding system wide certs in master and replica.
Last modified: 2017-08-01 05:44:33 EDT
Description of problem: in master, the rights of the file: /etc/pki/ca-trust/source/ipa.p11-kit are not impacting httpd service. In replica, if access rights are not enough (for instance, different from 644), we can see these errors in httpd logs: [Tue Feb 28 14:01:31.517307 2017] [:error] [pid 13487] SSL Library Error: -8172 Certificate is signed by an untrusted issuer [Tue Feb 28 14:01:31.517333 2017] [:error] [pid 13487] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied And, for instance, ipa command line will not work, of course. Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.4.x86_64 How reproducible: always. Steps to Reproduce: change access rights of the mentioned file + restart httpd + try to use ipa command line.
I can confirm that this is impacting us also. chmod 644 fixes it, but I'm not sure those are the appropriate permissions for that file....
Upstream ticket: https://pagure.io/freeipa/issue/6132
Ticket 6132 fixed upstream f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 httpinstance: disable system trust module in /etc/httpd/alias
*** Bug 1448697 has been marked as a duplicate of this bug. ***
Verified on: ipa-server-4.5.0-9.el7.x86_64 mod_nss-1.0.14-8.el7.x86_64 [root@master ~]# getenforce Enforcing [root@replica1 ~]# getenforce Enforcing 1. Install ipa-server [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U <snip> Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@master ~]# 2. Check rights of ipa.p11-kit [root@master ~]# ll /etc/pki/ca-trust/source/ipa.p11-kit -rw-r--r--. 1 root root 3541 May 29 10:36 /etc/pki/ca-trust/source/ipa.p11-kit 3. Change rights to 600 [root@master ~]# chmod 600 /etc/pki/ca-trust/source/ipa.p11-kit [root@master ~]# ll /etc/pki/ca-trust/source/ipa.p11-kit -rw-------. 1 root root 3541 May 29 10:36 /etc/pki/ca-trust/source/ipa.p11-kit 4. Restart httpd [root@master ~]# systemctl restart httpd [root@master ~]# 5. Check if system trust is disabled [root@master ~]# modutil -dbdir /etc/httpd/alias -list "Root Certs" ----------------------------------------------------------- Name: Root Certs Library file: /etc/httpd/alias/libnssckbi.so Manufacturer: PKCS#11 Kit Description: PKCS#11 Kit Trust Module PKCS #11 Version 2.40 Library Version: 0.23 Cipher Enable Flags: None Default Mechanism Flags: None Slot: /etc/pki/ca-trust/source Slot Mechanism Flags: None Manufacturer: PKCS#11 Kit Type: Software Version Number: 0.23 Firmware Version: 0.0 Status: DISABLED (user disabled) Token Name: System Trust Token Manufacturer: PKCS#11 Kit Token Model: p11-kit-trust Token Serial Number: 1 Token Version: 0.23 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Public (no login required) User Pin: NOT Initialized Slot: /usr/share/pki/ca-trust-source Slot Mechanism Flags: None Manufacturer: PKCS#11 Kit Type: Software Version Number: 0.23 Firmware Version: 0.0 Status: DISABLED (user disabled) Token Name: Default Trust Token Manufacturer: PKCS#11 Kit Token Model: p11-kit-trust Token Serial Number: 1 Token Version: 0.23 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Public (no login required) User Pin: NOT Initialized ----------------------------------------------------------- 6. The same on replica [root@replica1 ~]# ipa-replica-install -U -P admin -w XXX --server master.testrelm.test -n testrelm.test <snip> [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC [root@replica1 ~]# [root@replica1 tmp]# ll /etc/pki/ca-trust/source/ipa.p11-kit -rw-r--r--. 1 root root 3541 May 29 11:06 /etc/pki/ca-trust/source/ipa.p11-kit [root@replica1 tmp]# chmod 600 /etc/pki/ca-trust/source/ipa.p11-kit [root@replica1 tmp]# [root@replica1 tmp]# ll /etc/pki/ca-trust/source/ipa.p11-kit -rw-------. 1 root root 3541 May 29 11:06 /etc/pki/ca-trust/source/ipa.p11-kit [root@replica1 tmp]# [root@replica1 tmp]# systemctl restart httpd [root@replica1 tmp]# [root@replica1 tmp]# modutil -dbdir /etc/httpd/alias -list "Root Certs" ----------------------------------------------------------- Name: Root Certs Library file: /etc/httpd/alias/libnssckbi.so Manufacturer: PKCS#11 Kit Description: PKCS#11 Kit Trust Module PKCS #11 Version 2.40 Library Version: 0.23 Cipher Enable Flags: None Default Mechanism Flags: None Slot: /etc/pki/ca-trust/source Slot Mechanism Flags: None Manufacturer: PKCS#11 Kit Type: Software Version Number: 0.23 Firmware Version: 0.0 Status: DISABLED (user disabled) Token Name: System Trust Token Manufacturer: PKCS#11 Kit Token Model: p11-kit-trust Token Serial Number: 1 Token Version: 0.23 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Public (no login required) User Pin: NOT Initialized Slot: /usr/share/pki/ca-trust-source Slot Mechanism Flags: None Manufacturer: PKCS#11 Kit Type: Software Version Number: 0.23 Firmware Version: 0.0 Status: DISABLED (user disabled) Token Name: Default Trust Token Manufacturer: PKCS#11 Kit Token Model: p11-kit-trust Token Serial Number: 1 Token Version: 0.23 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Public (no login required) User Pin: NOT Initialized -----------------------------------------------------------
*** Bug 1458453 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304