Bug 1427897 - different behavior regarding system wide certs in master and replica.
Summary: different behavior regarding system wide certs in master and replica.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
: 1448697 1458453 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-01 13:25 UTC by German Parente
Modified: 2017-08-01 09:44 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:44:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description German Parente 2017-03-01 13:25:34 UTC
Description of problem:

in master, the rights of the file:

/etc/pki/ca-trust/source/ipa.p11-kit

are not impacting httpd service.

In replica, if access rights are not enough (for instance, different from 644), we can see these errors in httpd logs:


[Tue Feb 28 14:01:31.517307 2017] [:error] [pid 13487] SSL Library Error: -8172 Certificate is signed by an untrusted issuer
[Tue Feb 28 14:01:31.517333 2017] [:error] [pid 13487] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied
p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied

And, for instance, ipa command line will not work, of course.

Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.4.x86_64



How reproducible: always.


Steps to Reproduce: 

change access rights of the mentioned file + restart httpd + try to use ipa command line.

Comment 3 Michael S. Moody 2017-03-09 04:56:53 UTC
I can confirm that this is impacting us also. chmod 644 fixes it, but I'm not sure those are the appropriate permissions for that file....

Comment 4 Petr Vobornik 2017-03-09 12:03:34 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6132

Comment 5 Petr Vobornik 2017-03-16 16:31:03 UTC
Ticket 6132 fixed upstream

f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 httpinstance: disable system trust module in /etc/httpd/alias

Comment 7 Petr Vobornik 2017-05-19 11:57:08 UTC
*** Bug 1448697 has been marked as a duplicate of this bug. ***

Comment 8 Michal Reznik 2017-05-29 15:27:15 UTC
Verified on:

ipa-server-4.5.0-9.el7.x86_64
mod_nss-1.0.14-8.el7.x86_64

[root@master ~]# getenforce
Enforcing

[root@replica1 ~]# getenforce
Enforcing

1. Install ipa-server

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U
<snip>
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
 1. You must make sure these network ports are open:
  TCP Ports:
    * 80, 443: HTTP/HTTPS
    * 389, 636: LDAP/LDAPS
    * 88, 464: kerberos
    * 53: bind
  UDP Ports:
    * 88, 464: kerberos
    * 53: bind
    * 123: ntp

 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@master ~]#

2. Check rights of ipa.p11-kit

[root@master ~]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3541 May 29 10:36 /etc/pki/ca-trust/source/ipa.p11-kit

3. Change rights to 600

[root@master ~]# chmod 600 /etc/pki/ca-trust/source/ipa.p11-kit

[root@master ~]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-------. 1 root root 3541 May 29 10:36 /etc/pki/ca-trust/source/ipa.p11-kit

4. Restart httpd

[root@master ~]# systemctl restart httpd
[root@master ~]#

5. Check if system trust is disabled

[root@master ~]# modutil -dbdir /etc/httpd/alias -list "Root Certs"

-----------------------------------------------------------
Name: Root Certs
Library file: /etc/httpd/alias/libnssckbi.so
Manufacturer: PKCS#11 Kit                     
Description: PKCS#11 Kit Trust Module        
PKCS #11 Version 2.40
Library Version: 0.23
Cipher Enable Flags: None
Default Mechanism Flags: None

  Slot: /etc/pki/ca-trust/source
  Slot Mechanism Flags: None
  Manufacturer: PKCS#11 Kit                     
  Type: Software
  Version Number: 0.23
  Firmware Version: 0.0
  Status: DISABLED (user disabled)
  Token Name: System Trust                    
  Token Manufacturer: PKCS#11 Kit                     
  Token Model: p11-kit-trust   
  Token Serial Number: 1               
  Token Version: 0.23
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Public (no login required)
  User Pin: NOT Initialized

  Slot: /usr/share/pki/ca-trust-source
  Slot Mechanism Flags: None
  Manufacturer: PKCS#11 Kit                     
  Type: Software
  Version Number: 0.23
  Firmware Version: 0.0
  Status: DISABLED (user disabled)
  Token Name: Default Trust                   
  Token Manufacturer: PKCS#11 Kit                     
  Token Model: p11-kit-trust   
  Token Serial Number: 1               
  Token Version: 0.23
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Public (no login required)
  User Pin: NOT Initialized

-----------------------------------------------------------

6. The same on replica

[root@replica1 ~]# ipa-replica-install -U -P admin -w XXX --server master.testrelm.test -n testrelm.test
<snip>
  [2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the KDC
[root@replica1 ~]#
[root@replica1 tmp]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3541 May 29 11:06 /etc/pki/ca-trust/source/ipa.p11-kit

[root@replica1 tmp]# chmod 600 /etc/pki/ca-trust/source/ipa.p11-kit
[root@replica1 tmp]#
[root@replica1 tmp]# ll /etc/pki/ca-trust/source/ipa.p11-kit
-rw-------. 1 root root 3541 May 29 11:06 /etc/pki/ca-trust/source/ipa.p11-kit
[root@replica1 tmp]#
[root@replica1 tmp]# systemctl restart httpd
[root@replica1 tmp]#
[root@replica1 tmp]# modutil -dbdir /etc/httpd/alias -list "Root Certs"

-----------------------------------------------------------
Name: Root Certs
Library file: /etc/httpd/alias/libnssckbi.so
Manufacturer: PKCS#11 Kit                     
Description: PKCS#11 Kit Trust Module        
PKCS #11 Version 2.40
Library Version: 0.23
Cipher Enable Flags: None
Default Mechanism Flags: None

  Slot: /etc/pki/ca-trust/source
  Slot Mechanism Flags: None
  Manufacturer: PKCS#11 Kit                     
  Type: Software
  Version Number: 0.23
  Firmware Version: 0.0
  Status: DISABLED (user disabled)
  Token Name: System Trust                    
  Token Manufacturer: PKCS#11 Kit                     
  Token Model: p11-kit-trust   
  Token Serial Number: 1               
  Token Version: 0.23
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Public (no login required)
  User Pin: NOT Initialized

  Slot: /usr/share/pki/ca-trust-source
  Slot Mechanism Flags: None
  Manufacturer: PKCS#11 Kit                     
  Type: Software
  Version Number: 0.23
  Firmware Version: 0.0
  Status: DISABLED (user disabled)
  Token Name: Default Trust                   
  Token Manufacturer: PKCS#11 Kit                     
  Token Model: p11-kit-trust   
  Token Serial Number: 1               
  Token Version: 0.23
  Token Firmware Version: 0.0
  Access: NOT Write Protected
  Login Type: Public (no login required)
  User Pin: NOT Initialized

-----------------------------------------------------------

Comment 9 Petr Vobornik 2017-07-28 15:38:24 UTC
*** Bug 1458453 has been marked as a duplicate of this bug. ***

Comment 10 errata-xmlrpc 2017-08-01 09:44:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.