Bug 1444432 - CA-less pkinit not installable with --pkinit-cert-file option
Summary: CA-less pkinit not installable with --pkinit-cert-file option
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
Depends On:
TreeView+ depends on / blocked
Reported: 2017-04-21 10:26 UTC by Petr Vobornik
Modified: 2017-08-01 09:48 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:48:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
bz1444432 (9.19 KB, text/plain)
2017-06-07 12:29 UTC, Michal Reznik
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-04-21 10:26:19 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6869

When installing PKINIT cert in CA-less installation and using the `--pkinit-cert-file` option, the installation always fails.

The reason the installation fails is that we require full chain in the `.p12` file that's fed to the above option. The file gets correctly exported to a PEM bundle in '/var/kerberos/krb5kdc/kdc.crt' but it will contain multiple certificates. OpenSSL does not know how to deal with this, it assumes there's only one certificate in the PEM file. If the first certificate is a CA cert, that will cause the installation to crash as it will be unable to test anonymous pkinit.

Indeed, `kinit -n` gives:
[48537] 1492084647.997132: Preauth module pkinit (147) (info) returned: 0/Success
[48537] 1492084647.997365: PKINIT OpenSSL error: Failed to verify CMS message
[48537] 1492084647.997387: PKINIT OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[48537] 1492084647.997394: PKINIT OpenSSL error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
[48537] 1492084647.997403: PKINIT OpenSSL error: error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure
[48537] 1492084647.997427: PKINIT client could not verify DH reply
[48537] 1492084647.997437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: block type is not 01
kinit: Invalid signature while getting initial credentials

Comment 2 Petr Vobornik 2017-04-21 10:26:39 UTC
Upstream ticket:

Comment 6 Michal Reznik 2017-06-07 12:29:08 UTC
Verified on:


console logs attached...

Comment 7 Michal Reznik 2017-06-07 12:29:43 UTC
Created attachment 1285793 [details]

Comment 8 errata-xmlrpc 2017-08-01 09:48:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.