Bug 1455945 - Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
Summary: Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca recor...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-26 13:52 UTC by Petr Vobornik
Modified: 2017-08-01 09:51 UTC (History)
6 users (show)

Fixed In Version: ipa-4.5.0-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:


Attachments (Terms of Use)
console.log (10.44 KB, text/plain)
2017-06-07 12:11 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-26 13:52:40 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6981

FreeIPA 4.5.1 enables OCSP checks in mod_nss configuration upon install/upgrade in order to improve security in authentication via client certificates ( e.g. smart cards).

While this works well when FreeIPA servers manage DNS infrastructure, it breaks down in the case that DNS is not managed in IPA and ipa-ca records are not added to the DNS servers. This leads to unresolvable OCSP endpoint (ipa-ca.$DOMAIN) that breaks authentication using client certificates since the certificate validity checks fail during handshake:

```console
[pid 21751] Bad remote server certificate: -8071
 [Thu May 25 02:44:27.608751 2017] [:error] [pid 21751] SSL Library Error: -8071 The OCSP server experienced an      internal error
 [Thu May 25 02:44:27.608882 2017] [:error] [pid 21751] Re-negotiation handshake failed: Not accepted by client!
```

Since the RA agent authenticates via client certificate when issuing server certs, all operations requesting server certificates (including replica install, see below) fail:

```console
in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update in progress, 4 seconds elapsed
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Update succeeded
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [28/40]: adding sasl mappings to the directory
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [29/40]: updating schema
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [30/40]: setting Auto Member configuration
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [31/40]: enabling S4U2Proxy delegation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [32/40]: initializing group membership
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [33/40]: adding master entry
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [34/40]: initializing domain level
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [35/40]: configuring Posix uid/gid generation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [36/40]: adding replication acis
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [37/40]: activating sidgen plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [38/40]: activating extdom plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [39/40]: tuning directory server
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [40/40]: configuring directory to start on boot
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring directory server (dirsrv).
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring Kerberos KDC (krb5kdc)
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/5]: configuring KDC
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/5]: adding the password extension to the directory
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [3/5]: creating anonymous principal
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [4/5]: starting the KDC
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [5/5]: configuring KDC to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring Kerberos KDC (krb5kdc).
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring kadmin
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/2]: starting kadmin 
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/2]: configuring kadmin to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring kadmin.
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring directory server (dirsrv)
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/3]: configuring TLS for DS instance
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Run /usr/sbin/ipa-server-install --uninstall to clean up.
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
ipa: ERROR: Exit code: 1
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <ERROR>: Exit code: 1
```

We need to ensure that OCSP is enabled in an environment that supports the setup, ideally with a manual intervention after making sure ipa-ca records are resolvable.

Comment 2 Petr Vobornik 2017-05-26 13:52:59 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6981

Comment 7 Abhijeet Kasurde 2017-06-07 12:10:31 UTC
Verified using IPA version :: ipa-server-4.5.0-15.el7.x86_64

Marking BZ as verified. See attachment for console.log.

Comment 8 Abhijeet Kasurde 2017-06-07 12:11:23 UTC
Created attachment 1285777 [details]
console.log

Comment 9 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.