RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1444432 - CA-less pkinit not installable with --pkinit-cert-file option
Summary: CA-less pkinit not installable with --pkinit-cert-file option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-21 10:26 UTC by Petr Vobornik
Modified: 2017-08-01 09:48 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:48:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
bz1444432 (9.19 KB, text/plain)
2017-06-07 12:29 UTC, Michal Reznik 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-04-21 10:26:19 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6869

When installing PKINIT cert in CA-less installation and using the `--pkinit-cert-file` option, the installation always fails.

The reason the installation fails is that we require full chain in the `.p12` file that's fed to the above option. The file gets correctly exported to a PEM bundle in '/var/kerberos/krb5kdc/kdc.crt' but it will contain multiple certificates. OpenSSL does not know how to deal with this, it assumes there's only one certificate in the PEM file. If the first certificate is a CA cert, that will cause the installation to crash as it will be unable to test anonymous pkinit.

Indeed, `kinit -n` gives:
```
...
[48537] 1492084647.997132: Preauth module pkinit (147) (info) returned: 0/Success
[48537] 1492084647.997365: PKINIT OpenSSL error: Failed to verify CMS message
[48537] 1492084647.997387: PKINIT OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[48537] 1492084647.997394: PKINIT OpenSSL error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
[48537] 1492084647.997403: PKINIT OpenSSL error: error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure
[48537] 1492084647.997427: PKINIT client could not verify DH reply
[48537] 1492084647.997437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: block type is not 01
kinit: Invalid signature while getting initial credentials
```
Comment 2 Petr Vobornik 2017-04-21 10:26:39 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6869
Comment 3 Martin Bašti 2017-05-19 10:32:49 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/235265a5f5436148dd8d7e63b7e3928689796560
https://pagure.io/freeipa/c/f0442a2d0ed54abe6567fce6d99fd31f7c6c7883
https://pagure.io/freeipa/c/52730c786f6bb11aa7992b11fa0f5c94c90f9eb8
https://pagure.io/freeipa/c/01a7416d305ddb11d5b83c99afbacf8ba854c148
https://pagure.io/freeipa/c/11b8a3434655932fa73f05d4bd864bed0194035c
https://pagure.io/freeipa/c/4d36cbf6ad412822b8fb029f517f9228e2c8d4ee
https://pagure.io/freeipa/c/f769045f0ae9c5fdc651e03c0c96af9cdec8f298
https://pagure.io/freeipa/c/b9fd123d61fa7adda090c05216906ba0cf4779a9
https://pagure.io/freeipa/c/0c5b2c42bf52dc75ecf9d95036ca8517670877d6
https://pagure.io/freeipa/c/cc572378a69a7e4d18b7297b7fa54e2fe8e33b2f
https://pagure.io/freeipa/c/3b5dbf7cdb4c03260057c8f7a2abd5c5712eca41
https://pagure.io/freeipa/c/b3855704f479eaf122139189b762b943b2dcc0fc
https://pagure.io/freeipa/c/9ea764ecf5c3118df0917d94c4940b4ee38b3a31
https://pagure.io/freeipa/c/96ca62f81d3505b050eb9b9d71d4fc4c18e1535e
Comment 4 Martin Bašti 2017-05-19 10:34:33 UTC 
ipa-4-5:
https://pagure.io/freeipa/c/6338dbe47313a70b93bbf53855db451145d24544
https://pagure.io/freeipa/c/749d504f4335c375cf86bf44814177f03be61b52
https://pagure.io/freeipa/c/e68812331526269f3b556c339f65077f649110d3
https://pagure.io/freeipa/c/16b295c5a8580accfbbab016f3cc4eef0a704163
https://pagure.io/freeipa/c/63c4cbd619f81f16e0c08d3786b69d348c9dcfd7
https://pagure.io/freeipa/c/523a82652e2f95704a07ac25cc829a0782b9e22a
https://pagure.io/freeipa/c/b83ebe0e3ff692de37f28834d09a423d04e6ad68
https://pagure.io/freeipa/c/5cf5395eb51ff5ec8164075a5ee573abe76bc15e
https://pagure.io/freeipa/c/e6497f099c09dfa60bd6ae98e4692e99b7381752
https://pagure.io/freeipa/c/bc8deb118dce93fc380793c75090d9108ce61541
https://pagure.io/freeipa/c/cbdf6693cc8707dda9c1db42fb05dc5b1d70b7af
https://pagure.io/freeipa/c/77ef29ef30086c714025d97328507bd51e3f0421
https://pagure.io/freeipa/c/6f900ec60a426a2b97823d4612949a953fa6d49b
https://pagure.io/freeipa/c/e27b3e139ffff16f6e238ef6f9ff7d2ed02492bc
Comment 6 Michal Reznik 2017-06-07 12:29:08 UTC 
Verified on:

ipa-server-4.5.0-14.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch

console logs attached...
Comment 7 Michal Reznik 2017-06-07 12:29:43 UTC 
Created attachment 1285793 [details]
bz1444432
Comment 8 errata-xmlrpc 2017-08-01 09:48:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.