Bug 1480976 - 389-DS: With SSL in Console enabled, cannot manage certificates
389-DS: With SSL in Console enabled, cannot manage certificates
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: 389-ds-console (Show other bugs)
26
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: mreynolds
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-13 06:35 EDT by Richard Chan
Modified: 2018-05-29 08:26 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-05-29 08:26:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Error message from Manage Certificates (196.17 KB, image/png)
2017-08-13 06:35 EDT, Richard Chan
no flags Details
Failed when clicking Manage Certificates (2.46 KB, text/plain)
2017-08-13 12:31 EDT, Richard Chan
no flags Details
Use SSL in Console off, can Manage Certificates (2.16 KB, text/plain)
2017-08-13 12:33 EDT, Richard Chan
no flags Details

  None (edit)
Description Richard Chan 2017-08-13 06:35:15 EDT
Created attachment 1312637 [details]
Error message from Manage Certificates

Description of problem:
When "Use SSL in Console" is enabled for Directory Server, clicking on Tasks->Manage Certificates shows


Could not open file (null). File does not exist or filename is invalid. A filename that exists in the server security directory must be specified. Absolute or relative paths should not be specified.



Version-Release number of selected component (if applicable):
389-ds-base-libs-1.3.6.6-2.fc26.x86_64            
389-ds-console-1.2.16-2.fc26.noarch               
389-ds-1.2.2-9.fc26.noarch                        
389-admin-console-1.1.12-2.fc26.noarch            
389-dsgw-1.1.11-11.fc26.x86_64                    
389-admin-1.1.46-1.fc26.1.x86_64                  
389-admin-console-doc-1.1.12-2.fc26.noarch        
389-adminutil-1.1.23-2.fc26.x86_64                
389-console-1.1.18-2.fc26.noarch                  
389-ds-base-1.3.6.6-2.fc26.x86_64                 
389-ds-console-doc-1.2.16-2.fc26.noarch           


How reproducible:
Always


Steps to Reproduce:
1. Create a single Directory Server with setup-ds-admin.pl. No replication, only one user DIT
2. "Enable SSL for this Server" on Directory Server. Confirm that ldaps works. Confirm that Task->Manage Certificates works
3. Check "Use SSL in Console"
4. Try Tasks -> Manage Certificates . Fails with "An error has occurred"


Actual results:
Error dialog box



Expected results:
Manage Certificates dialog box

Additional info:
Comment 1 Richard Chan 2017-08-13 06:39:24 EDT
There are no error logs related to the file access
Comment 2 Richard Chan 2017-08-13 12:31 EDT
Created attachment 1312758 [details]
Failed when clicking Manage Certificates

389-console log
Comment 3 Richard Chan 2017-08-13 12:33 EDT
Created attachment 1312761 [details]
Use SSL in Console off, can Manage Certificates
Comment 4 Richard Chan 2017-08-13 21:09:04 EDT
The POSTS (Use SSL in Console on/off) are identical:

sie=slapd-example&formop=TOKEN_INFO

With Use SSL in Console checked: the reply
Content-type: text/html

NMC_Status: 1
NMC_ErrType: 
NMC_ErrInfo: An error has occured.
NMC_ErrDetail: Could not open file (null).  File does not exist or filename is invalid.  A filename that exists in the server security directory must be specified.  Absolute or relative paths should not be specified.

With SSL in Console unchecked: the reply
<TOKENINFO>
	<NSS Generic Crypto Services>
		<MODULE>NSS Internal PKCS #11 Module</MODULE>
		<INTERNAL>TRUE</INTERNAL>
		<HARDWARE>FALSE</HARDWARE>
		<READONLY>TRUE</READONLY>
		<NEED_LOGIN>FALSE</NEED_LOGIN>
		<FRIENDLY>TRUE</FRIENDLY>
		<NEED_USER_INIT>TRUE</NEED_USER_INIT>
	</NSS Generic Crypto Services>
	<internal (software)>
		<MODULE>NSS Internal PKCS #11 Module</MODULE>
		<INTERNAL>TRUE</INTERNAL>
		<HARDWARE>FALSE</HARDWARE>
		<READONLY>FALSE</READONLY>
		<NEED_LOGIN>TRUE</NEED_LOGIN>
		<FRIENDLY>TRUE</FRIENDLY>
		<NEED_USER_INIT>FALSE</NEED_USER_INIT>
	</internal (software)>
</TOKENINFO>
Content-type: text/html

NMC_Status: 0
Comment 5 Viktor Ashirov 2017-08-14 04:48:22 EDT
Hi,

could you please provide version of nss?

# rpm -qa | egrep '^nss'

And file permissions for your nss db files:

# ls -laZ /etc/dirsrv/slapd-instance/


Thanks!
Comment 6 Richard Chan 2017-08-14 05:06:36 EDT
Additional info:

Both of the following commands are working:

sudo -u dirsrv LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -b dc=example,dc=com -H ldaps:///

sudo -u dirsrv LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-example ldapsearch -x -b dc=example,dc=com -H ldaps:///

I am able to switch admin-serv to using TLS; after which "Manage Certificates" button still works.


Requested info:

[root@ldap dirsrv]# rpm -qa | egrep ^nss
nss-3.31.0-1.1.fc26.x86_64
nss-util-3.31.0-1.0.fc26.x86_64
nss-sysinit-3.31.0-1.1.fc26.x86_64
nss-pem-1.0.3-3.fc26.x86_64
nss-softokn-freebl-3.31.0-1.0.fc26.x86_64
nss-softokn-3.31.0-1.0.fc26.x86_64
nss-tools-3.31.0-1.1.fc26.x86_64


[root@ldap dirsrv]# ls -l admin-serv/ slapd-example/                            
admin-serv/:                            
total 156                               
-rw-------. 1 dirsrv root   492 Aug 14 14:23 adm.conf                           
-rw-------. 1 dirsrv root    40 Aug 14 14:23 admpw                              
-rw-r--r--. 1 root   root  3936 Feb 10  2017 admserv.conf                       
drwxr-xr-x. 2 root   root  4096 Aug 14 14:23 bakup                              
-rw-------. 1 dirsrv root 65536 Aug 14 15:51 cert8.db                           
-rw-------. 1 dirsrv root  4531 Aug 14 14:49 console.conf                       
-rw-r--r--. 1 root   root 26748 Feb 10  2017 httpd.conf                         
-rw-------. 1 dirsrv root 16384 Aug 14 15:51 key3.db                            
-rw-------. 1 dirsrv root  8956 Aug 14 15:47 local.conf                         
-rw-r--r--. 1 root   root  4505 Feb 10  2017 nss.conf                           
-r--------. 1 dirsrv root    20 Aug 14 14:34 pin.txt                            
-rw-------. 1 dirsrv root 16384 Aug 14 14:23 secmod.db                          

slapd-example/:                         
total 392                               
-rw-rw----. 1 dirsrv dirsrv 65536 Aug 14 15:51 cert8.db                         
-r--r-----. 1 dirsrv dirsrv  1676 Aug 14 14:22 certmap.conf                     
-rw-------. 1 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif                         
-rw-------. 2 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif.bak                     
-rw-------. 2 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif.startOK                 
-r--r-----. 1 dirsrv dirsrv 34975 Aug 14 14:22 dse_original.ldif                
-rw-rw----. 1 dirsrv dirsrv 16384 Aug 14 15:51 key3.db                          
-r--------. 1 dirsrv root      37 Aug 14 14:37 pin.txt                          
drwxrwx---. 2 dirsrv dirsrv  4096 Aug 14 15:50 schema                           
-rw-rw----. 1 dirsrv dirsrv 16384 Aug 14 15:50 secmod.db                        
-r--r-----. 1 dirsrv dirsrv 15142 Aug 14 14:22 slapd-collations.conf
Comment 7 Richard Chan 2017-08-14 05:07:22 EDT
Forgot about -Z

[root@ldap dirsrv]# ls -laZ admin-serv/ slapd-example/                              
admin-serv/:         
total 164            
drwx------. 3 dirsrv root   system_u:object_r:dirsrvadmin_config_t:s0      4096 Aug 14 14:49 .
drwxrwxr-x. 7 root   dirsrv system_u:object_r:dirsrv_config_t:s0           4096 Aug 14 14:22 ..
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0   492 Aug 14 14:23 adm.conf
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0    40 Aug 14 14:23 admpw
-rw-r--r--. 1 root   root   system_u:object_r:dirsrvadmin_config_t:s0      3936 Feb 10  2017 admserv.conf
drwxr-xr-x. 2 root   root   unconfined_u:object_r:dirsrvadmin_config_t:s0  4096 Aug 14 14:23 bakup
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0 65536 Aug 14 15:51 cert8.db
-rw-------. 1 dirsrv root   system_u:object_r:dirsrvadmin_config_t:s0      4531 Aug 14 14:49 console.conf
-rw-r--r--. 1 root   root   system_u:object_r:dirsrvadmin_config_t:s0     26748 Feb 10  2017 httpd.conf
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0 16384 Aug 14 15:51 key3.db
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0  8956 Aug 14 15:47 local.conf
-rw-r--r--. 1 root   root   system_u:object_r:dirsrvadmin_config_t:s0      4505 Feb 10  2017 nss.conf
-r--------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0    20 Aug 14 14:34 pin.txt
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrvadmin_config_t:s0 16384 Aug 14 14:23 secmod.db

slapd-example/:      
total 400            
drwxrwx---. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  4096 Aug 14 15:50 .
drwxrwxr-x. 7 root   dirsrv system_u:object_r:dirsrv_config_t:s0      4096 Aug 14 14:22 ..
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536 Aug 14 15:51 cert8.db
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  1676 Aug 14 14:22 certmap.conf
-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     82606 Aug 14 15:50 dse.ldif
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     82606 Aug 14 15:50 dse.ldif.bak
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     82606 Aug 14 15:50 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 34975 Aug 14 14:22 dse_original.ldif
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Aug 14 15:51 key3.db
-r--------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0    37 Aug 14 14:37 pin.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  4096 Aug 14 15:50 schema
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Aug 14 15:50 secmod.db
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142 Aug 14 14:22 slapd-collations.conf
Comment 8 Richard Chan 2017-08-14 05:08:40 EDT
[root@ldap dirsrv]# audit2allow -al


#============= dirsrvadmin_script_t ==============
allow dirsrvadmin_script_t sssd_public_t:file { getattr open read };
allow dirsrvadmin_script_t sssd_t:unix_stream_socket connectto;
allow dirsrvadmin_script_t sssd_var_lib_t:dir search;
allow dirsrvadmin_script_t sssd_var_lib_t:sock_file write;
allow dirsrvadmin_script_t systemd_unit_file_t:service { start status stop };


I have temporarily set SELinux to Permissive. Forgive us our trespasses...
Comment 9 Richard Chan 2017-08-14 05:12:49 EDT
Also DS Console Configuration -> Encryption shows the same (null) error box, but when you dismiss the dialog it goes to the Encryption tab

With Manage Certificates: when you dismiss the dialog box, the same dialog box appears again. Dismissing a 2nd time returns to the main DS Console screen.
Comment 10 Fedora End Of Life 2018-05-03 04:06:02 EDT
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 11 Fedora End Of Life 2018-05-29 08:26:07 EDT
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26
is no longer maintained, which means that it will not receive any
further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.