RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1567910 - IPA install with external-CA is failing when FIPS mode enabled.
Summary: IPA install with external-CA is failing when FIPS mode enabled.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1572548
TreeView+ depends on / blocked
 
Reported: 2018-04-16 12:20 UTC by Mohammad Rizwan
Modified: 2021-09-09 13:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
: 1572548 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:07:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3115 0 None None None 2020-10-04 21:43:09 UTC
Red Hat Product Errata RHBA-2018:3195 0 None None None 2018-10-30 11:08:05 UTC

Description Mohammad Rizwan 2018-04-16 12:20:12 UTC 
Description of problem:
IPA server install failing with external-ca when FIPS mode enabled in 7.5.1. It was passing in 7.5.

Version-Release number of selected component (if applicable):
ipa-server-4.5.4-10.el7_5.1.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipa with --external-ca option
2. sign the csr using external-ca
3. Proceed to install ipa-server with external-cert signed in step2

Actual results:
ipa install fail due to:
exception: RuntimeError: CA configuration failed.

Expected results:
ipa install success

Additional info:
Comment 6 Standa Laznicka 2018-04-17 12:05:53 UTC 
Endi, Fraser,

In the pkispawn log I am seeing the following:

"""
2018-04-16 06:41:38 pkispawn    : INFO     ....... validating signing certificate
2018-04-16 06:41:39 pkispawn    : DEBUG    ....... Error Type: CalledProcessError
2018-04-16 06:41:39 pkispawn    : DEBUG    ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'pki-tomcat', 'ca', 'signing']' returned non-zero exit status 1
2018-04-16 06:41:39 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 533, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1060, in spawn
    self.validate_system_certs(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 798, in validate_system_certs
    self.validate_system_cert(deployer, nssdb, subsystem, 'signing')
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 793, in validate_system_cert
    subsystem.validate_system_cert(tag)
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 211, in validate_system_cert
    stderr=subprocess.STDOUT)
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
"""

It seems that the validation of the signing cert failed for some reason pkispawn keeps for himself. Did PKI in FIPS RHEL 7.5.1 add some harder requirements for these use cases?
Comment 7 Endi Sukma Dewata 2018-04-17 16:21:10 UTC 
Mohammad, could you run this command and provide the output? Thanks.

 $ pki-server subsystem-cert-validate -i pki-tomcat -v ca signing
Comment 8 Mohammad Rizwan 2018-04-18 06:23:23 UTC 
[root@master ~]# pki-server subsystem-cert-validate -i pki-tomcat -v ca signing
{'certusage': 'SSLCA', 'nickname': 'caSigningCert cert-pki-ca', 'request': 'MIICrzCCAZcCAQAwODEWMBQGA1UEChMNVEVTVFJFTE0uVEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGfFxEIOOR5iikEp8TU3BpLhb3/FmyFkq26Mp4lF/VNhAW+dsVnekPHxQLBzdgp114gu2TNJudwiWUkNUGd+eyGsyZJwqQwzOSH3RrOcp/kfd50Az+t8fq4+9cmg2H84FksI1y6o8JRVT4sPyo/aEVcpFarTtCoH+j2OFTQ3yjDFFZtcBzByJQvgNHqFDGwMXdvnHQ0kFYXoLSDOEopa0IGF4CSVsK9mgIA9xJa1FUeMHc3DR71JTqQyjuLI5wuboplgaPkzfx1KknKX6+/CiHxsTNCz8S4P5VubOx9OUOSUNjAHuPZ097V/hdyQH5a9AYayyWwU/ykRfEpDsL2uYQIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAXzP7UOiq1tlGIY3eW+j2IkkiZdNS9/+m8XgXIwMnJO2HjOt3j9RNJv7I6FdvmlCLtEK4tdBe+KgU8mGV9wjIMioRKJr4LNIHnrfFLEXMffLbteUJ0cXTlrUGgxmZqOq7AKOJTCJ2FFBlmr9CV8tTPSGE5mDNjBq0ZhXV0+ZymtuFmEUOfjdzHmdY5itrutaIju5M/3oO1KSiZeImMK9Im0MBp498q+CWwwfmCpnIFWxvHItciUL2Rpzu3tORUP0xJGPeVdjnG43XJzEydamhApHQ0jDbnnLSa/T/5oHCKzb+Kf2skyqMInzTNnLrlmVvyzNk1lXLmaEisjyTd4sxiQ==', 'not_before': 1523875293000.0, 'token': 'Internal Key Storage Token', 'not_after': 1531737693000.0, 'serial_number': 2906561457, 'issuer': u'CN=Test_CA', 'data': 'MIIDETCCAfmgAwIBAgIFAK0+m7EwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdF9DQTAeFw0xODA0MTYxMDQxMzNaFw0xODA3MTYxMDQxMzNaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnxcRCDjkeYopBKfE1NwaS4W9/xZshZKtujKeJRf1TYQFvnbFZ3pDx8UCwc3YKddeILtkzSbncIllJDVBnfnshrMmScKkMMzkh90aznKf5H3edAM/rfH6uPvXJoNh/OBZLCNcuqPCUVU+LD8qP2hFXKRWq07QqB/o9jhU0N8owxRWbXAcwciUL4DR6hQxsDF3b5x0NJBWF6C0gzhKKWtCBheAklbCvZoCAPcSWtRVHjB3Nw0e9SU6kMo7iyOcLm6KZYGj5M38dSpJyl+vvwoh8bEzQs/EuD+VbmzsfTlDklDYwB7j2dPe1f4XckB+WvQGGsslsFP8pEXxKQ7C9rmECAwEAAaNIMEYwEQYJYIZIAYb4QgEBBAQDAgAHMBMGA1UdDgQMBAouf0d9m8JqFnc5MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgLEMA0GCSqGSIb3DQEBCwUAA4IBAQAnn7zUpcCgcKqM5ik50ossHcFYIYFnwYQo9rwdykTnooogYlkY4jgJpps590eTTtN2uKpzDZPhwZo+uSUS0HDPzsaASG4idtEcEFDkrU40cSwl0Zr9uWjKbUm+v0SYgAt8szqSmlTpGf50ZcwgFQp0F2nOx6RdzoOdmH0WiRm+/NRiGXUSJXj5OaT0FmyWYxEiyMcIsX0tUaAz2MEVIlFuAEAjJ1RfhEOueRiYRrd5niUucaeqvHUu7wMO1pdy8fnObjdS2v31vdGw5j8js4TWh/V3V4104/M4jJJKRt5zdiG5QEk4POauuNICdOolfXayUn4xNhsINQAKj5ytSe1b', 'id': 'signing', 'subject': u'CN=Certificate Authority,O=TESTRELM.TEST'}
  Cert ID: signing
  Nickname: caSigningCert cert-pki-ca
  Usage: SSLCA
  Token: Internal Key Storage Token
Command: pki -d /var/lib/pki/pki-tomcat/alias --token Internal Key Storage Token -C /tmp/tmpfvldwj client-cert-validate Internal Key Storage Token:caSigningCert cert-pki-ca --certusage SSLCA
  Status: ERROR: ObjectNotFoundException: Certificate not found: Internal Key Storage Token:caSigningCert cert-pki-ca

-----------------
Validation failed
-----------------
Comment 11 Endi Sukma Dewata 2018-04-23 19:09:03 UTC 
I'm not aware of specific FIPS requirements imposed by PKI, but I'm not the expert in that area. Usually such requirements are imposed by NSS.
Comment 13 Endi Sukma Dewata 2018-04-24 01:59:50 UTC 
Apparently it's caused by token name normalization problem in PKI.
I opened this upstream ticket: https://pagure.io/dogtagpki/issue/2997
Comment 14 Matthew Harmsen 2018-04-25 00:17:38 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage: 10.5.z
Comment 18 Endi Sukma Dewata 2018-04-26 18:37:27 UTC 
Fixed in master branch (i.e. PKI 10.6):
* https://github.com/dogtagpki/pki/commit/76912e2e68fddd978be20cb92b9c76099b8bc065
* https://github.com/dogtagpki/pki/commit/a8e7f8c80f4f6630f78990f81e4d1a06cd7f45fc
Comment 19 Endi Sukma Dewata 2018-04-26 18:45:02 UTC 
The fix can be verified with the procedure provided in the original bug description, either with IPA or without IPA.
Comment 22 Nikhil Dehadrai 2018-07-20 11:32:26 UTC 
IPA-server Version: ipa-server-4.6.4-2.el7.x86_64

Verified the bug on teh basis of following points:
1. Verified that IAP-server installation for EXTERNAL-CA is Successful in FIPS mode.
2. Verified that IPA-server installation is successful in FIPS mode.
3. Verified that IPA-Server installation for EXTERNAL-CA is successful in non-FIPS mode.

Thus on the basis of above observation, marking the status of bug to 'VERIFIED'.
Comment 25 errata-xmlrpc 2018-10-30 11:07:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195
Note You need to log in before you can comment on or make changes to this bug.