Bug 1512952
| Summary: | cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | frenaud, mreznik, ndehadra, pasik, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.6.6-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 19:55:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1514041 | ||
| Bug Blocks: | |||
|
Description
Mohammad Rizwan
2017-11-14 13:53:12 UTC
Was able to reproduce the issue too. Found this after "ipa-cacert-manage renew --self-signed" in the journal:
Nov 14 12:40:31 master.testrelm.test server[15039]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[before_stop]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[stop]
Nov 14 12:40:32 master.testrelm.test server[14825]: PKIListener: org.apache.catalina.core.StandardServer[configure_stop]
Nov 14 12:40:32 master.testrelm.test systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
Nov 14 12:40:32 master.testrelm.test stop_pkicad[15029]: Stopped pki_tomcatd
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Updating entry cn=b7bf6750-22ab-42ae-bb5c-8b430cfd0f50,ou=authorities,ou=ca,o=ipaca
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Updating CS.cfg
Nov 14 12:40:35 master.testrelm.test renew_ca_cert[15077]: Traceback (most recent call last):
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 223, in <module>
main()
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 217, in main
_main()
File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 183, in _main
ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
KeyError: 'caSigningCert cert-pki-ca'
Nov 14 12:40:35 master.testrelm.test certmonger[15098]: Certificate named "caSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
The issue seems linked to certutil behavior which has changed.
The script /usr/libexec/ipa/certmonger/renew_ca_cert is performing the following steps:
1- removes the CA certs from /etc/pki/pki-tomcat/alias
2- retrieves the CA certs from LDAP (below cn=certificates,cn=ipa,cn=etc,$BASEDN)
3- adds the certs obtained in 2 to /etc/pki/pki-tomcat/alias
4- modifies the trust flags of the external CA if 'caSigningCert cert-pki-ca' was externally signed.
The bug happens in the 4th step. The script is using certutil -O -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' to retrieve the cert chain of caSigningCert cert-pki-ca, and assumes that the external CA is the before-last cert (if it exists).
With nss-tools 3.28.4-1.2.el7_3, the output is the following:
# certutil -O -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
=> no before-last cert, code does not executed. This is expected as the cert is self-signed, meaning there is no ext CA to trust.
But with nss-tools 3.28.4-15.el7_4, the output is different:
# certutil -O -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
Note that the cert is self-signed, so I would be expecting the output to contain only caSigningCert cert-pki-ca.
With this output, the code assumes 'caSigningCert cert-pki-ca' is the external CA and falls in the issue.
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1514041 against nss component. Makes me wonder if existing certs should be removed before installing the new CA. That would resolve relying on behavior of the NSS tool and I don't think this would cause any chaining issues as the private key wouldn't change. Upstream ticket: https://pagure.io/freeipa/issue/7926 Note: issue is still present with ipa-server-4.6.5-7.el7.x86_64 (RHEL 7.7). Fixed upstream master: https://pagure.io/freeipa/c/64d187e56e02f3a400b2e6044e6ad670521160c8 Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/9b3b85914dcf37dc234a5625f2f18e864bc73038 ipa-4-6: https://pagure.io/freeipa/c/67402701e6d065929aa0fb1804171a2133cfaaec Test already exists upstream (test_integration/test_external_ca.py::TestSelfExternalSelf) and downstrean (ipa-pytests/src/ca_cert_renewal/). Version: ipa-server-4.6.6-9.el7.x86_64 certmonger-0.78.4-12.el7.x86_64 Automation passed. Logs provided. Based on above observations marking the bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1083 |