RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1455945 - Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
Summary: Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca recor...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-26 13:52 UTC by Petr Vobornik
Modified: 2017-08-01 09:51 UTC (History)
6 users (show)

Fixed In Version: ipa-4.5.0-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
console.log (10.44 KB, text/plain)
2017-06-07 12:11 UTC, Abhijeet Kasurde 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-26 13:52:40 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6981

FreeIPA 4.5.1 enables OCSP checks in mod_nss configuration upon install/upgrade in order to improve security in authentication via client certificates ( e.g. smart cards).

While this works well when FreeIPA servers manage DNS infrastructure, it breaks down in the case that DNS is not managed in IPA and ipa-ca records are not added to the DNS servers. This leads to unresolvable OCSP endpoint (ipa-ca.$DOMAIN) that breaks authentication using client certificates since the certificate validity checks fail during handshake:

```console
[pid 21751] Bad remote server certificate: -8071
 [Thu May 25 02:44:27.608751 2017] [:error] [pid 21751] SSL Library Error: -8071 The OCSP server experienced an      internal error
 [Thu May 25 02:44:27.608882 2017] [:error] [pid 21751] Re-negotiation handshake failed: Not accepted by client!
```

Since the RA agent authenticates via client certificate when issuing server certs, all operations requesting server certificates (including replica install, see below) fail:

```console
in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update in progress, 4 seconds elapsed
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Update succeeded
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [28/40]: adding sasl mappings to the directory
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [29/40]: updating schema
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [30/40]: setting Auto Member configuration
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [31/40]: enabling S4U2Proxy delegation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [32/40]: initializing group membership
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [33/40]: adding master entry
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [34/40]: initializing domain level
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [35/40]: configuring Posix uid/gid generation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [36/40]: adding replication acis
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [37/40]: activating sidgen plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [38/40]: activating extdom plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [39/40]: tuning directory server
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [40/40]: configuring directory to start on boot
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring directory server (dirsrv).
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring Kerberos KDC (krb5kdc)
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/5]: configuring KDC
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/5]: adding the password extension to the directory
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [3/5]: creating anonymous principal
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [4/5]: starting the KDC
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [5/5]: configuring KDC to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring Kerberos KDC (krb5kdc).
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring kadmin
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/2]: starting kadmin 
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/2]: configuring kadmin to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring kadmin.
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring directory server (dirsrv)
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/3]: configuring TLS for DS instance
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Run /usr/sbin/ipa-server-install --uninstall to clean up.
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
ipa: ERROR: Exit code: 1
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <ERROR>: Exit code: 1
```

We need to ensure that OCSP is enabled in an environment that supports the setup, ideally with a manual intervention after making sure ipa-ca records are resolvable.
Comment 2 Petr Vobornik 2017-05-26 13:52:59 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6981
Comment 5 Martin Babinsky 2017-06-06 11:35:32 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/51b361f475b3e25ace982873beb05cafcba95808
master:
https://pagure.io/freeipa/c/566361e63d4a670460df3dbb28b9d19f38eaea2d
Comment 7 Abhijeet Kasurde 2017-06-07 12:10:31 UTC 
Verified using IPA version :: ipa-server-4.5.0-15.el7.x86_64

Marking BZ as verified. See attachment for console.log.
Comment 8 Abhijeet Kasurde 2017-06-07 12:11:23 UTC 
Created attachment 1285777 [details]
console.log
Comment 9 errata-xmlrpc 2017-08-01 09:51:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.