Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1455945

Summary: Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Abhijeet Kasurde <akasurde>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: akasurde, ksiddiqu, mbabinsk, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-15.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:51:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
console.log none

Description Petr Vobornik 2017-05-26 13:52:40 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6981

FreeIPA 4.5.1 enables OCSP checks in mod_nss configuration upon install/upgrade in order to improve security in authentication via client certificates ( e.g. smart cards).

While this works well when FreeIPA servers manage DNS infrastructure, it breaks down in the case that DNS is not managed in IPA and ipa-ca records are not added to the DNS servers. This leads to unresolvable OCSP endpoint (ipa-ca.$DOMAIN) that breaks authentication using client certificates since the certificate validity checks fail during handshake:

```console
[pid 21751] Bad remote server certificate: -8071
 [Thu May 25 02:44:27.608751 2017] [:error] [pid 21751] SSL Library Error: -8071 The OCSP server experienced an      internal error
 [Thu May 25 02:44:27.608882 2017] [:error] [pid 21751] Re-negotiation handshake failed: Not accepted by client!
```

Since the RA agent authenticates via client certificate when issuing server certs, all operations requesting server certificates (including replica install, see below) fail:

```console
in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update in progress, 4 seconds elapsed
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Update succeeded
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [28/40]: adding sasl mappings to the directory
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [29/40]: updating schema
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [30/40]: setting Auto Member configuration
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [31/40]: enabling S4U2Proxy delegation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [32/40]: initializing group membership
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [33/40]: adding master entry
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [34/40]: initializing domain level
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [35/40]: configuring Posix uid/gid generation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [36/40]: adding replication acis
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [37/40]: activating sidgen plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [38/40]: activating extdom plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [39/40]: tuning directory server
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [40/40]: configuring directory to start on boot
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring directory server (dirsrv).
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring Kerberos KDC (krb5kdc)
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/5]: configuring KDC
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/5]: adding the password extension to the directory
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [3/5]: creating anonymous principal
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [4/5]: starting the KDC
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [5/5]: configuring KDC to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring Kerberos KDC (krb5kdc).
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring kadmin
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/2]: starting kadmin 
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/2]: configuring kadmin to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring kadmin.
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring directory server (dirsrv)
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/3]: configuring TLS for DS instance
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Run /usr/sbin/ipa-server-install --uninstall to clean up.
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
ipa: ERROR: Exit code: 1
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <ERROR>: Exit code: 1
```

We need to ensure that OCSP is enabled in an environment that supports the setup, ideally with a manual intervention after making sure ipa-ca records are resolvable.

Comment 2 Petr Vobornik 2017-05-26 13:52:59 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6981

Comment 7 Abhijeet Kasurde 2017-06-07 12:10:31 UTC
Verified using IPA version :: ipa-server-4.5.0-15.el7.x86_64

Marking BZ as verified. See attachment for console.log.

Comment 8 Abhijeet Kasurde 2017-06-07 12:11:23 UTC
Created attachment 1285777 [details]
console.log

Comment 9 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304