RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1579037 - Adding 3rd Party CAs to IPA results in SmartCard preparation script failure
Summary: Adding 3rd Party CAs to IPA results in SmartCard preparation script failure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-16 20:50 UTC by aheverle
Modified: 2021-06-10 16:11 UTC (History)
7 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:09:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:37 UTC

Description aheverle 2018-05-16 20:50:42 UTC 
Adding a Root+Intermediate CA certs for the apache frontend as outlined in the "Linux Domain, Identity, Authentication, and Policy Guide, Sections 26.3 and 26.6.  

# kinit admin
# ipa-cacert-manage -n Apache1_Cert -t C,, install /etc/certs/current/Apache_Cert_CA.cer
# ipa-cacert-manage -n Apache2_Cert -t C,, install /etc/certs/current/Apache_Cert_Trust_CA.cer
# ipa-certupdate
# cat /etc/certs/current/Apache_Cert_CA.cer /etc/certs/current/Apache_Cert_Trust_CA.cer /etc/certs/current/cacert.crt > /etc/certs/current/cert_chain.pem
# ipa-server-certinstall --http /etc/certs/current/server.key /etc/certs/current/cert_chain.pem

At this point, the NSSNickname in /etc/httpd/conf.d/nss.conf was set to:
'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'

Please note the single quotes above.


I ran the following commands to set the server up for SmartCard auth and import the CAs:

# kinit admin
# ipa-advise config-server-for-smart-card-auth > /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
# chmod 755 /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
# /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh  /root/IPA_Stuff/SmartCard_CA/Root_CA_3.cer \
  /root/IPA_Stuff/SmartCard_CA/Ent_Trust_CA.cer  /root/IPA_Stuff/SmartCard_CA/example.cer

This resulted in the following error:

certutil: could not find certificate named "'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'": SEC_ERROR_BAD_DATABASE: security library: bad database.
Can not set trust flags on HTTP certificate

Upon further investigation, I found the certificate name wrapped in single quotes in the nss.conf file, removed the single quotes and re-ran the server_smart_card_script.sh.  This time it completed successfully without issues, and SmartCard authentication was verified to work correctly.
Comment 2 Rob Crittenden 2018-05-16 21:13:31 UTC 
I think it is effectively escaping the single quotes. I ran it myself with the nickname quoted via bash -x and got:

++ grep NSSNickname /etc/httpd/conf.d/nss.conf
++ cut -f 2 -d ' '
+ http_cert_nick=''\''Server-Cert'\'''
+ certutil -M -n ''\''Server-Cert'\''' -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt -t Pu,u,u
certutil: could not find certificate named "'Server-Cert'": SEC_ERROR_BAD_DATABASE: security library: bad database.
+ '[' 255 -ne 0 ']'
+ echo 'Can not set trust flags on HTTP certificate'
Can not set trust flags on HTTP certificate
+ exit 1

The easy answer is to sed those single quotes out but given it can be in a subject I suspect something like this is needed at the end of the grep:

| sed "s/^'//" | sed "s/'$//"

to drop leading and trailing single quotes.

Note that double-quotes around the nickname will cause similar issues.
Comment 3 Florence Blanc-Renaud 2018-09-21 14:00:38 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7706
Comment 4 Florence Blanc-Renaud 2018-09-24 07:36:03 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/6e2bd184d60894dae18d08c214403251ee7e26ad


Note: fixed in ipa-4-6 only as ipa-4-7 is using mod_ssl instead of mod_nss and issue does not happen on ipa-4-7.
Comment 6 Nikhil Dehadrai 2019-06-27 08:55:55 UTC 
IPA: ipa-server-4.6.5-10.el7.x86_64


Verified the bug on the basis of following steps:

Setup Script to create ext certs:
------------------------------------
#!/bin/bash

DBDIR="/tmp/ipa/ext_nssdb" # will be removed if exists!
PWDFILE="$DBDIR/pwdfile.txt"
NOISE="$DBDIR/noise.txt"
PASSWORD="Secret123"
DOMAIN="TESTRELM.TEST"
SERVER="qe-blade-07.testrelm.test"

if [ $EUID -ne 0 ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# Remove previous NSS database if it exists
if [ -e "$DBDIR" ]; then
    rm -rf "$DBDIR"
fi

# Get Subject Key Identifiers for the root and IPA CAs
ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)

# Prepare a new NSS database to serve us as an external CA
mkdir -p "$DBDIR"
echo "$PASSWORD" > "$PWDFILE"
# create noise file
dd count=10 bs=1024 if=/dev/random of="$NOISE" 2>/dev/null
certutil -N -d "$DBDIR" -f "$PWDFILE"

# Generate a CA certificate
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
    | certutil -d "$DBDIR" -S -s "CN=Cert Auth,O=Flo4Auth" -n ca -t C,C,C -x \
-1 -2 --extSKID -f "$PWDFILE" -z "$NOISE"

# Generate a key for the server cert
openssl genrsa -aes256 -out $DBDIR/server.key  -passout pass:$PASSWORD 2048

# Generate a CSR
openssl req -key $DBDIR/server.key -new -sha256 -outform der -out $DBDIR/server.csr -subj /O=${DOMAIN}/CN=${SERVER} -passin pass:$PASSWORD

# Sign the CSR
echo -e "0\n1\n2\n3\n9\ny\n${ROOT_KEY_ID}\n" \
     | certutil -C -d "$DBDIR" -m 1001 -i "$DBDIR/server.csr" \
       -o "$DBDIR/server.cer" -c ca \
-1 --extSKID -f "$PWDFILE" -z "$NOISE"

openssl x509 -inform der -in "$DBDIR/server.cer" -out "$DBDIR/server.pem"

# Export the NSS CA certificate and add it to a chain file
certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
cat "$DBDIR/server.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"

echo "Please use $DBDIR/ca.crt $DBDIR/server.pem and $DBDIR/server.key"


Steps:
--------------------------
1. Copy the above shell script to IPA MASTER. (I named it as /tmp/test.sh)
2. Run the script # bash -x test.sh
3. Browse to '/tmp/ipa/ext_nssdb' and run following commands

[root@qe-blade-07 ext_nssdb]# rpm -q ipa-server
ipa-server-4.6.5-10.el7.x86_64
[root@qe-blade-07 ext_nssdb]# ipa-server-certinstall --http server.key server.pem ca.crt
Directory Manager password: <Secret123> 

Enter private key unlock password: <Secret123>

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful

[root@qe-blade-07 ext_nssdb]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

[root@qe-blade-07 ext_nssdb]# cat /etc/httpd/conf.d/nss.conf | grep NSSNickname
NSSNickname 'CN=qe-blade-07.testrelm.test,O=TESTRELM.TEST'

[root@qe-blade-07 ext_nssdb]# kinit admin
Password for admin: 

[root@qe-blade-07 ext_nssdb]# mkdir -pv /tmp/IPA_Stuff/SmartCard_CA-new/
mkdir: created directory ‘/tmp/IPA_Stuff/SmartCard_CA-new/’

[root@qe-blade-07 ext_nssdb]# ipa-advise config-server-for-smart-card-auth > /tmp/IPA_Stuff/SmartCard_CA-new/server_smart_card_script.sh
trying https://qe-blade-07.testrelm.test/ipa/json

[root@qe-blade-07 ext_nssdb]# ls -l /tmp/IPA_Stuff/SmartCard_CA-new/server_smart_card_script.sh
-rw-r--r--. 1 root root 4022 Jun 27 04:47 /tmp/IPA_Stuff/SmartCard_CA-new/server_smart_card_script.sh


Thus on the basis of above observations, the issue mentioned in the bug is no more observed and 'server_smart_card_script.sh' is created successfully, thus marking the status of bug to 'VERIFIED'.
Comment 8 errata-xmlrpc 2019-08-06 13:09:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Note You need to log in before you can comment on or make changes to this bug.