1549187 – IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1549187 - IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain

Summary: IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1626583 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-26 16:06 UTC by Brian J. Atkisson
Modified:	2021-12-10 15:56 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.6.4-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:57:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7537	None	None	None	2021-12-10 15:56:48 UTC
Red Hat Knowledge Base (Solution)	3395351	None	None	None	2018-03-29 11:18:49 UTC
Red Hat Product Errata	RHBA-2018:3187	None	None	None	2018-10-30 10:58:18 UTC

Description Brian J. Atkisson 2018-02-26 16:06:11 UTC

Description of problem:


We have an externally signed CA cert in IdM, resulting in the following
chain:

1. CN=Red Hat IT Root CA/O=Red Hat, Inc.
2. CN=Intermediate Certificate Authority/O=Red Hat
3. O=IPA.REDHAT.COM/CN=Certificate Authority

This is the chain stored in /etc/ipa/ca.crt.  However, the cert stored
in /usr/share/ipa/html/ca.crt only consists of #3 (the IPA CA cert). As
such, when clients are prompted to download the CA cert during the
ipa-client-install from http://$IPA_SERVER/ipa/config/ca.crt, they fetch
only #3.  This kind of works, but then the install fails at:

======================

Do you want to download the CA cert from
http://$IPA_SERVER/ipa/config/ca.crt?
(this is INSECURE) [no]: yes
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.REDHAT.COM
    Issuer:      CN=Intermediate Certificate Authority,OU=prod,O=Red Hat
    Valid From:  2017-10-16 19:19:57
    Valid Until: 2037-10-11 19:19:57

Enrolled in IPA realm IPA.REDHAT.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.REDHAT.COM
trying https://$IPA_SERVER/ipa/json
Connection to https://$IPA_SERVER/ipa/json
failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:579)
[...]
cannot connect to 'any of the configured servers':
https://$IPA_SERVER/ipa/json,
[...]
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information

Comment 2 Florence Blanc-Renaud 2018-03-01 15:11:43 UTC

The installation with external-ca only adds IPA CA in master:/usr/share/ipa/html/ca.crt. Note that if ipa-certupdate is run on the master, the whole chain will be written to this file.

The other workaround is to copy master:/etc/ipa/ca.crt to client:/tmp/ca.crt and call ipa-client-install --ca-cert-file=/tmp/ca.crt (or copy directly to /etc/ipa/ca.crt and it will be reused).

Comment 3 Petr Vobornik 2018-03-20 17:27:55 UTC

In renewal case, it is documented to run ipa-certupdate on all replicas.

It is documented in renewal procedure: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#manual-cert-renewal-ext

Do I understand it correctly that the bug is that on install, usr/share/ipa/html/ca.crt is not updated with full chain? And it is still valid on RHEL 7.4 and further? And correct fix would be to update it automatically during master installation and all subsequent replica installations?

Comment 4 Florence Blanc-Renaud 2018-03-22 10:00:17 UTC

In reply to comment #c3: yes, the issue happens on install with --external-ca and is present on RHEL 7.4:
ipa-server.x86_64                    4.5.0-22.el7_4

and RHEL 7.5:
ipa-server.x86_64               4.5.4-10.el7

We should automatically update it during master installation.

Comment 5 fbarreto 2018-05-02 18:17:10 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7526

Comment 6 Christian Heimes 2018-05-28 19:27:38 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/af99032d901d55e56bccdc272cfbf3617de05b53
https://pagure.io/freeipa/c/1d70ce850e965a2d5475895aa88668756a6810b3

Comment 7 Rob Crittenden 2018-06-01 13:33:23 UTC

ipa-4-6:
https://pagure.io/freeipa/c/06b55118988628fe939f3c7488822f40b81e1f8b
https://pagure.io/freeipa/c/a9e9d5056713fef72425d155690af53efe2e7a7f

Comment 14 Mohammad Rizwan 2018-08-23 10:36:49 UTC

version:
ipa-server-4.6.4-6.el7.x86_64

Steps:
Execute upstream test:

IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_external_ca.py::TestExternalCA --logging-level=DEBUG

console log:

[..]
[ipatests.pytest_plugins.integration.host.Host.client.cmd11] RUN ['rm', '-rvf', '/root/ipatests/file_backup', '/root/ipatests/file_remove']
[ipatests.pytest_plugins.integration.host.Host.client.cmd11] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.client.OpenSSHTransport] GET /root/ipatests/backup_hostname
[ipatests.pytest_plugins.integration.host.Host.client.cmd12] RUN ['cat', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.client.cmd12] cat: /root/ipatests/backup_hostname: No such file or directory
[ipatests.pytest_plugins.integration.host.Host.client.cmd12] Exit code: 1
[ipatests.pytest_plugins.integration.host.Host.client.OpenSSHTransport] RUN ['kdestroy', '-A']
[ipatests.pytest_plugins.integration.host.Host.client.cmd13] RUN ['kdestroy', '-A']
[ipatests.pytest_plugins.integration.host.Host.client.cmd13] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.client.OpenSSHTransport] RUN ['rm', '-rvf', '/root/ipatests']
[ipatests.pytest_plugins.integration.host.Host.client.cmd14] RUN ['rm', '-rvf', '/root/ipatests']
[ipatests.pytest_plugins.integration.host.Host.client.cmd14] removed ‘/root/ipatests/env.sh’
[ipatests.pytest_plugins.integration.host.Host.client.cmd14] removed directory: ‘/root/ipatests’
[ipatests.pytest_plugins.integration.host.Host.client.cmd14] Exit code: 0


---------------------------------------------------- generated xml file: /root/nosetests.xml -----------------------------------------------------
=========================================================== 2 passed in 629.47 seconds ===========================================================

Full console logs are attached.

Based on above observations, marking the bug as verified.

Comment 16 errata-xmlrpc 2018-10-30 10:57:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Comment 17 Chris Williams 2018-11-05 22:07:37 UTC

*** Bug 1626583 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.