Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1579037

Summary: Adding 3rd Party CAs to IPA results in SmartCard preparation script failure
Product: Red Hat Enterprise Linux 7 Reporter: aheverle
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: dpal, frenaud, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.5-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:09:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aheverle 2018-05-16 20:50:42 UTC 
Adding a Root+Intermediate CA certs for the apache frontend as outlined in the "Linux Domain, Identity, Authentication, and Policy Guide, Sections 26.3 and 26.6.  

# kinit admin
# ipa-cacert-manage -n Apache1_Cert -t C,, install /etc/certs/current/Apache_Cert_CA.cer
# ipa-cacert-manage -n Apache2_Cert -t C,, install /etc/certs/current/Apache_Cert_Trust_CA.cer
# ipa-certupdate
# cat /etc/certs/current/Apache_Cert_CA.cer /etc/certs/current/Apache_Cert_Trust_CA.cer /etc/certs/current/cacert.crt > /etc/certs/current/cert_chain.pem
# ipa-server-certinstall --http /etc/certs/current/server.key /etc/certs/current/cert_chain.pem

At this point, the NSSNickname in /etc/httpd/conf.d/nss.conf was set to:
'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'

Please note the single quotes above.


I ran the following commands to set the server up for SmartCard auth and import the CAs:

# kinit admin
# ipa-advise config-server-for-smart-card-auth > /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
# chmod 755 /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
# /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh  /root/IPA_Stuff/SmartCard_CA/Root_CA_3.cer \
  /root/IPA_Stuff/SmartCard_CA/Ent_Trust_CA.cer  /root/IPA_Stuff/SmartCard_CA/example.cer

This resulted in the following error:

certutil: could not find certificate named "'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'": SEC_ERROR_BAD_DATABASE: security library: bad database.
Can not set trust flags on HTTP certificate

Upon further investigation, I found the certificate name wrapped in single quotes in the nss.conf file, removed the single quotes and re-ran the server_smart_card_script.sh.  This time it completed successfully without issues, and SmartCard authentication was verified to work correctly.
Comment 2 Rob Crittenden 2018-05-16 21:13:31 UTC 
I think it is effectively escaping the single quotes. I ran it myself with the nickname quoted via bash -x and got:

++ grep NSSNickname /etc/httpd/conf.d/nss.conf
++ cut -f 2 -d ' '
+ http_cert_nick=''\''Server-Cert'\'''
+ certutil -M -n ''\''Server-Cert'\''' -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt -t Pu,u,u
certutil: could not find certificate named "'Server-Cert'": SEC_ERROR_BAD_DATABASE: security library: bad database.
+ '[' 255 -ne 0 ']'
+ echo 'Can not set trust flags on HTTP certificate'
Can not set trust flags on HTTP certificate
+ exit 1

The easy answer is to sed those single quotes out but given it can be in a subject I suspect something like this is needed at the end of the grep:

| sed "s/^'//" | sed "s/'$//"

to drop leading and trailing single quotes.

Note that double-quotes around the nickname will cause similar issues.
Comment 3 Florence Blanc-Renaud 2018-09-21 14:00:38 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7706
Comment 4 Florence Blanc-Renaud 2018-09-24 07:36:03 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/6e2bd184d60894dae18d08c214403251ee7e26ad


Note: fixed in ipa-4-6 only as ipa-4-7 is using mod_ssl instead of mod_nss and issue does not happen on ipa-4-7.
Comment 6 Nikhil Dehadrai 2019-06-27 08:55:55 UTC 
IPA: ipa-server-4.6.5-10.el7.x86_64


Verified the bug on the basis of following steps:

Setup Script to create ext certs:
------------------------------------
#!/bin/bash

DBDIR="/tmp/ipa/ext_nssdb" # will be removed if exists!
PWDFILE="$DBDIR/pwdfile.txt"
NOISE="$DBDIR/noise.txt"
PASSWORD="Secret123"
DOMAIN="TESTRELM.TEST"
SERVER="qe-blade-07.testrelm.test"

if [ $EUID -ne 0 ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# Remove previous NSS database if it exists
if [ -e "$DBDIR" ]; then
    rm -rf "$DBDIR"
fi

# Get Subject Key Identifiers for the root and IPA CAs
ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)

# Prepare a new NSS database to serve us as an external CA
mkdir -p "$DBDIR"
echo "$PASSWORD" > "$PWDFILE"
# create noise file
dd count=10 bs=1024 if=/dev/random of="$NOISE" 2>/dev/null
certutil -N -d "$DBDIR" -f "$PWDFILE"

# Generate a CA certificate
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
    | certutil -d "$DBDIR" -S -s "CN=Cert Auth,O=Flo4Auth" -n ca -t C,C,C -x \
-1 -2 --extSKID -f "$PWDFILE" -z "$NOISE"

# Generate a key for the server cert
openssl genrsa -aes256 -out $DBDIR/server.key  -passout pass:$PASSWORD 2048

# Generate a CSR
openssl req -key $DBDIR/server.key -new -sha256 -outform der -out $DBDIR/server.csr -subj /O=${DOMAIN}/CN=${SERVER} -passin pass:$PASSWORD

# Sign the CSR
echo -e "0\n1\n2\n3\n9\ny\n${ROOT_KEY_ID}\n" \
     | certutil -C -d "$DBDIR" -m 1001 -i "$DBDIR/server.csr" \
       -o "$DBDIR/server.cer" -c ca \
-1 --extSKID -f "$PWDFILE" -z "$NOISE"

openssl x509 -inform der -in "$DBDIR/server.cer" -out "$DBDIR/server.pem"

# Export the NSS CA certificate and add it to a chain file
certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
cat "$DBDIR/server.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"

echo "Please use $DBDIR/ca.crt $DBDIR/server.pem and $DBDIR/server.key"


Steps:
--------------------------
1. Copy the above shell script to IPA MASTER. (I named it as /tmp/test.sh)
2. Run the script # bash -x test.sh
3. Browse to '/tmp/ipa/ext_nssdb' and run following commands

[root@qe-blade-07 ext_nssdb]# rpm -q ipa-server
ipa-server-4.6.5-10.el7.x86_64
[root@qe-blade-07 ext_nssdb]# ipa-server-certinstall --http server.key server.pem ca.crt
Directory Manager password: <Secret123> 

Enter private key unlock password: <Secret123>

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful

[root@qe-blade-07 ext_nssdb]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

[root@qe-blade-07 ext_nssdb]# cat /etc/httpd/conf.d/nss.conf | grep NSSNickname
NSSNickname 'CN=qe-blade-07.testrelm.test,O=TESTRELM.TEST'

[root@qe-blade-07 ext_nssdb]# kinit admin
Password for admin: 

[root@qe-blade-07 ext_nssdb]# mkdir -pv /tmp/IPA_Stuff/SmartCard_CA-new/
mkdir: created directory ‘/tmp/IPA_Stuff/SmartCard_CA-new/’

[root@qe-blade-07 ext_nssdb]# ipa-advise config-server-for-smart-card-auth > /tmp/IPA_Stuff/SmartCard_CA-new/server_smart_card_script.sh
trying https://qe-blade-07.testrelm.test/ipa/json

[root@qe-blade-07 ext_nssdb]# ls -l /tmp/IPA_Stuff/SmartCard_CA-new/server_smart_card_script.sh
-rw-r--r--. 1 root root 4022 Jun 27 04:47 /tmp/IPA_Stuff/SmartCard_CA-new/server_smart_card_script.sh


Thus on the basis of above observations, the issue mentioned in the bug is no more observed and 'server_smart_card_script.sh' is created successfully, thus marking the status of bug to 'VERIFIED'.
Comment 8 errata-xmlrpc 2019-08-06 13:09:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241