Bug 1444896 - ipa-server-install with external-ca fails in FIPS mode
Summary: ipa-server-install with external-ca fails in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-24 13:58 UTC by Abhijeet Kasurde
Modified: 2017-08-01 09:50 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-10.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)
external_ca.sh (1.02 KB, application/x-shellscript)
2017-04-24 13:58 UTC, Abhijeet Kasurde
no flags Details
nssdb.tar.gz (5.74 KB, application/x-gzip)
2017-04-25 11:58 UTC, Abhijeet Kasurde
no flags Details
ipa-server-install.log (1.03 MB, text/plain)
2017-05-03 08:37 UTC, Abhijeet Kasurde
no flags Details
verification_console.log (14.21 KB, text/plain)
2017-05-04 09:41 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Abhijeet Kasurde 2017-04-24 13:58:17 UTC
Created attachment 1273618 [details]
external_ca.sh

Description of problem:
IPA server installation fails with following error:

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    CA certificate CN=PRIMARY,O=TESTRELM.TEST in /root/nssdb/chain.crt is not valid: (SEC_ERROR_BAD_SIGNATURE) Peer's certificate has an invalid signature.
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


Version-Release number of selected component (if applicable):
# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.0-7.el7.x86_64
ipa-client-4.5.0-7.el7.x86_64
389-ds-base-1.3.6.1-9.el7.x86_64
pki-ca-10.4.1-2.el7.noarch
krb5-server-1.15.1-7.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Run attached script

Actual results:
Installation fails with above error

Expected results:
Same script works fine in non-FIPS mode. Installation is non-FIPS mode with external-ca is successful.

Comment 3 Standa Laznicka 2017-04-25 08:14:57 UTC
Seems to me like a bug in my script you shared here, perhaps the CA cert creation and signing is missing some undocumented arguments for FIPS mode. It could also be a bug in NSS since verification of such created certificate signatures does not fail in non-FIPS environent.

Either above mentioned way, changing the component from "ipa" to "nss".

Comment 4 Kai Engert (:kaie) (inactive account) 2017-04-25 11:37:33 UTC
Please attach the involved certificates, so we can have a look, without reproducing your environment.

Comment 5 Abhijeet Kasurde 2017-04-25 11:54:51 UTC
Please find the attachment for certificates created in temp directory by given script.

Comment 6 Abhijeet Kasurde 2017-04-25 11:58:08 UTC
Created attachment 1273884 [details]
nssdb.tar.gz

Comment 7 Kai Engert (:kaie) (inactive account) 2017-04-25 12:29:32 UTC
On first look, I don't see an issue with this certificate. 2048 bit RSA key, signature uses sha256, has basic-constraints extension.

I assume you are running on a system that has FIPS enabled system-wide, correct?

Please clarify: Is this a regression with new a package version, or, are you trying this for the first time? (If regression, please mention the package versions that are working.)

Comment 8 Abhijeet Kasurde 2017-04-25 12:42:31 UTC
(In reply to Kai Engert (:kaie) from comment #7)
> On first look, I don't see an issue with this certificate. 2048 bit RSA key,
> signature uses sha256, has basic-constraints extension.
> 
> I assume you are running on a system that has FIPS enabled system-wide,
> correct?
> 
Yes. Machine is FIPS enabled. 

# cat /proc/sys/crypto/fips_enabled
1

> Please clarify: Is this a regression with new a package version, or, are you
> trying this for the first time? (If regression, please mention the package
> versions that are working.)

I am trying this for the first time. Is there any specific flags or options required to create certificate using certutil in FIPS mode ?

Comment 9 Standa Laznicka 2017-04-25 12:46:33 UTC
@kai: We're doing this for the first time, it's a part of a RHEL 7.4 feature: https://bugzilla.redhat.com/show_bug.cgi?id=1125174

Comment 10 Kai Engert (:kaie) (inactive account) 2017-04-25 13:09:02 UTC
If you want to speed up analysis, can you find out the exact failing command, including parameters, that is being executed as part of the script?

Comment 11 Standa Laznicka 2017-04-25 13:41:54 UTC
The failure happens in the following code:
"""
intended_usage = nss.certificateUsageSSLCA
try:
    approved_usage = cert.verify_now(certdb, True, intended_usage)
"""
where cert is nss.Certificate representing the CA cert that's signing the sub-CA cert.

This is of course python-nss code but given that that won't probably change FIPS/non-FIPS, it's more probable that the failure will happen in the actual nss library.

Comment 14 Kai Engert (:kaie) (inactive account) 2017-04-25 14:42:34 UTC
You don't login. You must ensure that you provide the database password and that PK11_Authenticate() succeeds.

Comment 15 Standa Laznicka 2017-04-26 06:31:43 UTC
Although I am changing the component back to IPA, you should fix this too since the way you handle errors will open cases against you over and over again and that's just a waste of both sides' time.

Comment 16 Standa Laznicka 2017-04-26 06:33:54 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6897

Comment 17 Martin Bašti 2017-04-28 12:12:01 UTC
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/651d132b701b773b2bbeb41496d6c5ddbf6d19b3

Comment 19 Abhijeet Kasurde 2017-05-03 08:35:39 UTC
Failed to verify bz as following error occurred while installing IPA server with externally signed certificates 


  [19/21]: starting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


# rpm -qa ipa-server ipa-client 389-ds-base pki-ca krb5-server
pki-ca-10.4.1-2.el7.noarch
389-ds-base-1.3.6.1-9.el7.x86_64
ipa-client-4.5.0-9.el7.x86_64
ipa-server-4.5.0-9.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
# cat /proc/sys/crypto/fips_enabled
1

See attachment for ipa-server-install.log

Comment 20 Abhijeet Kasurde 2017-05-03 08:37:50 UTC
Created attachment 1275848 [details]
ipa-server-install.log

Comment 21 Standa Laznicka 2017-05-03 08:41:44 UTC
This was caused by PKINIT fixes applied over fixes in this BZ, adding our tracker.

Comment 24 Abhijeet Kasurde 2017-05-04 09:40:17 UTC
Verified using IPA version:: ipa-server-4.5.0-10.el7.x86_64

Marking BZ as verified. See attachment for console.log.

Comment 25 Abhijeet Kasurde 2017-05-04 09:41:29 UTC
Created attachment 1276208 [details]
verification_console.log

Comment 26 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.