Bug 1462112 - ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Sudhir Menon
: Regression, TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-16 04:30 EDT by Sudhir Menon
Modified: 2017-08-01 05:51 EDT (History)
10 users (show)

See Also:
Fixed In Version: ipa-4.5.0-19.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:51:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pki-ca-spawn (141.37 KB, text/plain)
2017-06-16 05:12 EDT, Sudhir Menon
no flags Details
ipa-server-install log (3.85 MB, text/plain)
2017-06-16 08:16 EDT, Sudhir Menon
no flags Details
ipa-client-install log (6.35 KB, text/plain)
2017-06-16 08:17 EDT, Sudhir Menon
no flags Details
dirsrv journalctl logs (107.29 KB, text/x-vhdl)
2017-06-16 08:18 EDT, Sudhir Menon
no flags Details
pki-ca logs (156.73 KB, text/plain)
2017-06-16 08:19 EDT, Sudhir Menon
no flags Details
dirsrv error logs (76.23 KB, text/plain)
2017-06-16 08:20 EDT, Sudhir Menon
no flags Details
Install Log (11.54 KB, text/plain)
2017-06-22 06:53 EDT, Sudhir Menon
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Sudhir Menon 2017-06-16 04:30:32 EDT
Description of problem: With FIPS mode enabled ipa-server install command failed with RuntimeError: CA configuration failed

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-18.el7.x86_64
sssd-1.15.2-47.el7.x86_64
389-ds-base-1.3.6.1-16.el7.x86_64
pki-server-10.4.1-9.el7.noarch
pki-ca-10.4.1-9.el7.noarch
selinux-policy-3.13.1-162.el7.noarch
samba-4.6.2-6.el7.x86_64
custodia-0.3.1-3.el7.noarch

How reproducible: Always


Steps to Reproduce:
1. Setup FIPS on RHEL7.4 using the below steps

# cat /etc/sysconfig/prelink | grep PRELINKING  i.e PRELINKING=no
# prelink -u -a
# yum install -y dracut-fips
# dracut -f
# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1        1038336 194432    843904  19% /boot

# blkid /dev/sda1
/dev/sda1: UUID="a7c8839b-ee02-4a56-a667-c271bcf3c15e" TYPE="xfs" 
# vi /etc/default/grub

GRUB_CMDLINE_LINUX="fips=1 boot=UUID=a7c8839b-ee02-4a56-a667-c271bcf3c15e crashkernel=auto rd.lvm.lv=rhel_auto-hv-02-guest02/root rd.lvm.lv=rhel_auto-hv-02-guest02/swap console=ttyS0,115200"

#. grub2-mkconfig -o /boot/grub2/grub.cfg
#. reboot
#.  sysctl -a | grep fips_enabled
crypto.fips_enabled = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens3.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"

2. IPA server is installed with multiple --ip-address, --no-pkinit, --setup-adtrust options

#ipa-server-install -p **** -a ***** --ip-address=<ip-address1> --ip-address=<ip-address2> -n TEST.QE -r TEST.QE --hostname=authohv02.testqe.test --setup-dns --setup-adtrust --no-pkinit --no-reverse --forwarder=<ip-address> --no-dnssec-validation --netbios-name=TEST -v  -U

Actual results: IPA server install fails with the below error

Installation failed: server failed to restart
2017-06-16T06:43:27Z DEBUG stderr=pkispawn    : ERROR    ....... server failed to restart
2017-06-16T06:43:27Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpIBBIdH' returned non-zero exit status 1
2017-06-16T06:43:27Z CRITICAL See the installation logs and the following files/directories for more information:
2017-06-16T06:43:27Z CRITICAL   /var/log/pki/pki-tomcat
2017-06-16T06:43:27Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step   method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-06-16T06:43:27Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-06-16T06:43:27Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute  for _nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner  exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception  six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
 exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 578, in main
master_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 802, in install
ca.install_step_0(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance
self.tmp_agent_pwd) 
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2017-06-16T06:43:27Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2017-06-16T06:43:27Z ERROR CA configuration failed.

Expected results: IPA server install should work without any error.

Additional info: Attaching console logs.
Comment 3 Sudhir Menon 2017-06-16 05:12 EDT
Created attachment 1288286 [details]
pki-ca-spawn
Comment 4 Stanislav Laznicka 2017-06-16 05:28:40 EDT
Please provide journal log for pki-tomcatd@pki-tomcat.service. This seems more like a pki-base bug, btw.
Comment 6 Sudhir Menon 2017-06-16 08:16 EDT
Created attachment 1288349 [details]
ipa-server-install log
Comment 7 Sudhir Menon 2017-06-16 08:17 EDT
Created attachment 1288352 [details]
ipa-client-install log
Comment 8 Sudhir Menon 2017-06-16 08:18 EDT
Created attachment 1288353 [details]
dirsrv journalctl logs
Comment 9 Sudhir Menon 2017-06-16 08:19 EDT
Created attachment 1288354 [details]
pki-ca logs
Comment 10 Sudhir Menon 2017-06-16 08:20 EDT
Created attachment 1288355 [details]
dirsrv error logs
Comment 11 Stanislav Laznicka 2017-06-16 09:31:57 EDT
Since the original bug was not reproducible and the nature of it is actually different, I am moving this back to IPA.

The cause of this bug is the use of MD4 in some C code which handles trusts.
Comment 13 thierry bordaz 2017-06-19 08:59:10 EDT
Looking at https://bugzilla.redhat.com/attachment.cgi?id=1288353, it is looking like ns-slapd aborts.
Do you know if a core was dumped ?
Comment 14 Petr Vobornik 2017-06-20 04:22:19 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/7026
Comment 20 Sudhir Menon 2017-06-22 06:41:46 EDT
Fix is seen. Verified on RHEL7.4 using 

ipa-server-4.5.0-19.el7.x86_64
389-ds-base-1.3.6.1-16.el7.x86_64
pki-server-10.4.1-10.el7.noarch
pki-ca-10.4.1-10.el7.noarch
selinux-policy-3.13.1-162.el7.noarch
custodia-0.3.1-4.el7.noarch


Attaching the install log for reference.
Comment 21 Sudhir Menon 2017-06-22 06:53 EDT
Created attachment 1290647 [details]
Install Log
Comment 22 errata-xmlrpc 2017-08-01 05:51:24 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.