Red Hat Bugzilla – Bug 1444896
ipa-server-install with external-ca fails in FIPS mode
Last modified: 2017-08-01 05:50:15 EDT
Created attachment 1273618 [details] external_ca.sh Description of problem: IPA server installation fails with following error: ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=PRIMARY,O=TESTRELM.TEST in /root/nssdb/chain.crt is not valid: (SEC_ERROR_BAD_SIGNATURE) Peer's certificate has an invalid signature. ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Version-Release number of selected component (if applicable): # rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.5.0-7.el7.x86_64 ipa-client-4.5.0-7.el7.x86_64 389-ds-base-1.3.6.1-9.el7.x86_64 pki-ca-10.4.1-2.el7.noarch krb5-server-1.15.1-7.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Run attached script Actual results: Installation fails with above error Expected results: Same script works fine in non-FIPS mode. Installation is non-FIPS mode with external-ca is successful.
Seems to me like a bug in my script you shared here, perhaps the CA cert creation and signing is missing some undocumented arguments for FIPS mode. It could also be a bug in NSS since verification of such created certificate signatures does not fail in non-FIPS environent. Either above mentioned way, changing the component from "ipa" to "nss".
Please attach the involved certificates, so we can have a look, without reproducing your environment.
Please find the attachment for certificates created in temp directory by given script.
Created attachment 1273884 [details] nssdb.tar.gz
On first look, I don't see an issue with this certificate. 2048 bit RSA key, signature uses sha256, has basic-constraints extension. I assume you are running on a system that has FIPS enabled system-wide, correct? Please clarify: Is this a regression with new a package version, or, are you trying this for the first time? (If regression, please mention the package versions that are working.)
(In reply to Kai Engert (:kaie) from comment #7) > On first look, I don't see an issue with this certificate. 2048 bit RSA key, > signature uses sha256, has basic-constraints extension. > > I assume you are running on a system that has FIPS enabled system-wide, > correct? > Yes. Machine is FIPS enabled. # cat /proc/sys/crypto/fips_enabled 1 > Please clarify: Is this a regression with new a package version, or, are you > trying this for the first time? (If regression, please mention the package > versions that are working.) I am trying this for the first time. Is there any specific flags or options required to create certificate using certutil in FIPS mode ?
@kai: We're doing this for the first time, it's a part of a RHEL 7.4 feature: https://bugzilla.redhat.com/show_bug.cgi?id=1125174
If you want to speed up analysis, can you find out the exact failing command, including parameters, that is being executed as part of the script?
The failure happens in the following code: """ intended_usage = nss.certificateUsageSSLCA try: approved_usage = cert.verify_now(certdb, True, intended_usage) """ where cert is nss.Certificate representing the CA cert that's signing the sub-CA cert. This is of course python-nss code but given that that won't probably change FIPS/non-FIPS, it's more probable that the failure will happen in the actual nss library.
You don't login. You must ensure that you provide the database password and that PK11_Authenticate() succeeds.
Although I am changing the component back to IPA, you should fix this too since the way you handle errors will open cases against you over and over again and that's just a waste of both sides' time.
Upstream ticket: https://pagure.io/freeipa/issue/6897
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/651d132b701b773b2bbeb41496d6c5ddbf6d19b3
Failed to verify bz as following error occurred while installing IPA server with externally signed certificates [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information # rpm -qa ipa-server ipa-client 389-ds-base pki-ca krb5-server pki-ca-10.4.1-2.el7.noarch 389-ds-base-1.3.6.1-9.el7.x86_64 ipa-client-4.5.0-9.el7.x86_64 ipa-server-4.5.0-9.el7.x86_64 krb5-server-1.15.1-8.el7.x86_64 # cat /proc/sys/crypto/fips_enabled 1 See attachment for ipa-server-install.log
Created attachment 1275848 [details] ipa-server-install.log
This was caused by PKINIT fixes applied over fixes in this BZ, adding our tracker.
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/8107125e177ac9f378d149d7b0fa1d3774c9be3a master: https://pagure.io/freeipa/c/a24923066dd95a88ded329f1a558d46fbb9d8f81
Verified using IPA version:: ipa-server-4.5.0-10.el7.x86_64 Marking BZ as verified. See attachment for console.log.
Created attachment 1276208 [details] verification_console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304