Bug 1480976 - 389-DS: With SSL in Console enabled, cannot manage certificates
389-DS: With SSL in Console enabled, cannot manage certificates
Status: NEW
Product: Fedora
Classification: Fedora
Component: 389-ds-console (Show other bugs)
26
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Rich Megginson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-13 06:35 EDT by Richard Chan
Modified: 2017-08-14 05:12 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Error message from Manage Certificates (196.17 KB, image/png)
2017-08-13 06:35 EDT, Richard Chan
no flags Details
Failed when clicking Manage Certificates (2.46 KB, text/plain)
2017-08-13 12:31 EDT, Richard Chan
no flags Details
Use SSL in Console off, can Manage Certificates (2.16 KB, text/plain)
2017-08-13 12:33 EDT, Richard Chan
no flags Details

  None (edit)
Description Richard Chan 2017-08-13 06:35:15 EDT
Created attachment 1312637 [details]
Error message from Manage Certificates

Description of problem:
When "Use SSL in Console" is enabled for Directory Server, clicking on Tasks->Manage Certificates shows


Could not open file (null). File does not exist or filename is invalid. A filename that exists in the server security directory must be specified. Absolute or relative paths should not be specified.



Version-Release number of selected component (if applicable):
389-ds-base-libs-1.3.6.6-2.fc26.x86_64            
389-ds-console-1.2.16-2.fc26.noarch               
389-ds-1.2.2-9.fc26.noarch                        
389-admin-console-1.1.12-2.fc26.noarch            
389-dsgw-1.1.11-11.fc26.x86_64                    
389-admin-1.1.46-1.fc26.1.x86_64                  
389-admin-console-doc-1.1.12-2.fc26.noarch        
389-adminutil-1.1.23-2.fc26.x86_64                
389-console-1.1.18-2.fc26.noarch                  
389-ds-base-1.3.6.6-2.fc26.x86_64                 
389-ds-console-doc-1.2.16-2.fc26.noarch           


How reproducible:
Always


Steps to Reproduce:
1. Create a single Directory Server with setup-ds-admin.pl. No replication, only one user DIT
2. "Enable SSL for this Server" on Directory Server. Confirm that ldaps works. Confirm that Task->Manage Certificates works
3. Check "Use SSL in Console"
4. Try Tasks -> Manage Certificates . Fails with "An error has occurred"


Actual results:
Error dialog box



Expected results:
Manage Certificates dialog box

Additional info:
Comment 1 Richard Chan 2017-08-13 06:39:24 EDT
There are no error logs related to the file access
Comment 2 Richard Chan 2017-08-13 12:31 EDT
Created attachment 1312758 [details]
Failed when clicking Manage Certificates

389-console log
Comment 3 Richard Chan 2017-08-13 12:33 EDT
Created attachment 1312761 [details]
Use SSL in Console off, can Manage Certificates
Comment 4 Richard Chan 2017-08-13 21:09:04 EDT
The POSTS (Use SSL in Console on/off) are identical:

sie=slapd-example&formop=TOKEN_INFO

With Use SSL in Console checked: the reply
Content-type: text/html

NMC_Status: 1
NMC_ErrType: 
NMC_ErrInfo: An error has occured.
NMC_ErrDetail: Could not open file (null).  File does not exist or filename is invalid.  A filename that exists in the server security directory must be specified.  Absolute or relative paths should not be specified.

With SSL in Console unchecked: the reply
<TOKENINFO>
	<NSS Generic Crypto Services>
		<MODULE>NSS Internal PKCS #11 Module</MODULE>
		<INTERNAL>TRUE</INTERNAL>
		<HARDWARE>FALSE</HARDWARE>
		<READONLY>TRUE</READONLY>
		<NEED_LOGIN>FALSE</NEED_LOGIN>
		<FRIENDLY>TRUE</FRIENDLY>
		<NEED_USER_INIT>TRUE</NEED_USER_INIT>
	</NSS Generic Crypto Services>
	<internal (software)>
		<MODULE>NSS Internal PKCS #11 Module</MODULE>
		<INTERNAL>TRUE</INTERNAL>
		<HARDWARE>FALSE</HARDWARE>
		<READONLY>FALSE</READONLY>
		<NEED_LOGIN>TRUE</NEED_LOGIN>
		<FRIENDLY>TRUE</FRIENDLY>
		<NEED_USER_INIT>FALSE</NEED_USER_INIT>
	</internal (software)>
</TOKENINFO>
Content-type: text/html

NMC_Status: 0
Comment 5 Viktor Ashirov 2017-08-14 04:48:22 EDT
Hi,

could you please provide version of nss?

# rpm -qa | egrep '^nss'

And file permissions for your nss db files:

# ls -laZ /etc/dirsrv/slapd-instance/


Thanks!
Comment 6 Richard Chan 2017-08-14 05:06:36 EDT
Additional info:

Both of the following commands are working:

sudo -u dirsrv LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -b dc=example,dc=com -H ldaps:///

sudo -u dirsrv LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-example ldapsearch -x -b dc=example,dc=com -H ldaps:///

I am able to switch admin-serv to using TLS; after which "Manage Certificates" button still works.


Requested info:

[root@ldap dirsrv]# rpm -qa | egrep ^nss
nss-3.31.0-1.1.fc26.x86_64
nss-util-3.31.0-1.0.fc26.x86_64
nss-sysinit-3.31.0-1.1.fc26.x86_64
nss-pem-1.0.3-3.fc26.x86_64
nss-softokn-freebl-3.31.0-1.0.fc26.x86_64
nss-softokn-3.31.0-1.0.fc26.x86_64
nss-tools-3.31.0-1.1.fc26.x86_64


[root@ldap dirsrv]# ls -l admin-serv/ slapd-example/                            
admin-serv/:                            
total 156                               
-rw-------. 1 dirsrv root   492 Aug 14 14:23 adm.conf                           
-rw-------. 1 dirsrv root    40 Aug 14 14:23 admpw                              
-rw-r--r--. 1 root   root  3936 Feb 10  2017 admserv.conf                       
drwxr-xr-x. 2 root   root  4096 Aug 14 14:23 bakup                              
-rw-------. 1 dirsrv root 65536 Aug 14 15:51 cert8.db                           
-rw-------. 1 dirsrv root  4531 Aug 14 14:49 console.conf                       
-rw-r--r--. 1 root   root 26748 Feb 10  2017 httpd.conf                         
-rw-------. 1 dirsrv root 16384 Aug 14 15:51 key3.db                            
-rw-------. 1 dirsrv root  8956 Aug 14 15:47 local.conf                         
-rw-r--r--. 1 root   root  4505 Feb 10  2017 nss.conf                           
-r--------. 1 dirsrv root    20 Aug 14 14:34 pin.txt                            
-rw-------. 1 dirsrv root 16384 Aug 14 14:23 secmod.db                          

slapd-example/:                         
total 392                               
-rw-rw----. 1 dirsrv dirsrv 65536 Aug 14 15:51 cert8.db                         
-r--r-----. 1 dirsrv dirsrv  1676 Aug 14 14:22 certmap.conf                     
-rw-------. 1 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif                         
-rw-------. 2 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif.bak                     
-rw-------. 2 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif.startOK                 
-r--r-----. 1 dirsrv dirsrv 34975 Aug 14 14:22 dse_original.ldif                
-rw-rw----. 1 dirsrv dirsrv 16384 Aug 14 15:51 key3.db                          
-r--------. 1 dirsrv root      37 Aug 14 14:37 pin.txt                          
drwxrwx---. 2 dirsrv dirsrv  4096 Aug 14 15:50 schema                           
-rw-rw----. 1 dirsrv dirsrv 16384 Aug 14 15:50 secmod.db                        
-r--r-----. 1 dirsrv dirsrv 15142 Aug 14 14:22 slapd-collations.conf
Comment 7 Richard Chan 2017-08-14 05:07:22 EDT
Forgot about -Z

[root@ldap dirsrv]# ls -laZ admin-serv/ slapd-example/                              
admin-serv/:         
total 164            
drwx------. 3 dirsrv root   system_u:object_r:dirsrvadmin_config_t:s0      4096 Aug 14 14:49 .
drwxrwxr-x. 7 root   dirsrv system_u:object_r:dirsrv_config_t:s0           4096 Aug 14 14:22 ..
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0   492 Aug 14 14:23 adm.conf
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0    40 Aug 14 14:23 admpw
-rw-r--r--. 1 root   root   system_u:object_r:dirsrvadmin_config_t:s0      3936 Feb 10  2017 admserv.conf
drwxr-xr-x. 2 root   root   unconfined_u:object_r:dirsrvadmin_config_t:s0  4096 Aug 14 14:23 bakup
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0 65536 Aug 14 15:51 cert8.db
-rw-------. 1 dirsrv root   system_u:object_r:dirsrvadmin_config_t:s0      4531 Aug 14 14:49 console.conf
-rw-r--r--. 1 root   root   system_u:object_r:dirsrvadmin_config_t:s0     26748 Feb 10  2017 httpd.conf
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0 16384 Aug 14 15:51 key3.db
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0  8956 Aug 14 15:47 local.conf
-rw-r--r--. 1 root   root   system_u:object_r:dirsrvadmin_config_t:s0      4505 Feb 10  2017 nss.conf
-r--------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0    20 Aug 14 14:34 pin.txt
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0 16384 Aug 14 14:23 secmod.db

slapd-example/:      
total 400            
drwxrwx---. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  4096 Aug 14 15:50 .
drwxrwxr-x. 7 root   dirsrv system_u:object_r:dirsrv_config_t:s0      4096 Aug 14 14:22 ..
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536 Aug 14 15:51 cert8.db
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  1676 Aug 14 14:22 certmap.conf
-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     82606 Aug 14 15:50 dse.ldif
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     82606 Aug 14 15:50 dse.ldif.bak
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     82606 Aug 14 15:50 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 34975 Aug 14 14:22 dse_original.ldif
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Aug 14 15:51 key3.db
-r--------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0    37 Aug 14 14:37 pin.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  4096 Aug 14 15:50 schema
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Aug 14 15:50 secmod.db
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142 Aug 14 14:22 slapd-collations.conf
Comment 8 Richard Chan 2017-08-14 05:08:40 EDT
[root@ldap dirsrv]# audit2allow -al


#============= dirsrvadmin_script_t ==============
allow dirsrvadmin_script_t sssd_public_t:file { getattr open read };
allow dirsrvadmin_script_t sssd_t:unix_stream_socket connectto;
allow dirsrvadmin_script_t sssd_var_lib_t:dir search;
allow dirsrvadmin_script_t sssd_var_lib_t:sock_file write;
allow dirsrvadmin_script_t systemd_unit_file_t:service { start status stop };


I have temporarily set SELinux to Permissive. Forgive us our trespasses...
Comment 9 Richard Chan 2017-08-14 05:12:49 EDT
Also DS Console Configuration -> Encryption shows the same (null) error box, but when you dismiss the dialog it goes to the Encryption tab

With Manage Certificates: when you dismiss the dialog box, the same dialog box appears again. Dismissing a 2nd time returns to the main DS Console screen.

Note You need to log in before you can comment on or make changes to this bug.