RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1658316 - RFE: Validation and better error messages when novajoin fails because of SSL errors
Summary: RFE: Validation and better error messages when novajoin fails because of SSL ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
: 1637719 (view as bug list)
Depends On: 1636634 1637717
Blocks: 1637719
TreeView+ depends on / blocked
 
Reported: 2018-12-11 18:04 UTC by Thomas Woerner
Modified: 2023-03-24 14:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1637717
Environment:
Last Closed: 2019-06-14 00:45:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 3 Thomas Woerner 2018-12-18 10:23:41 UTC 
*** Bug 1637719 has been marked as a duplicate of this bug. ***
Comment 4 Rob Crittenden 2019-01-11 13:21:41 UTC 
You can verify by calling ipa-join directly.

Current RHEL-7.6:

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
Incorrect password.

Note that this happens even without /etc/ipa/ca.crt which is required to do the connection. You can put an otherwise valid but not correct for the remote IPA CA into that file and you'll get the same error. You'll get the same message if the firewall on the IPA master is not configured to allow the connection.

On the other hand with the fix you should see something more relevant.

For the case of no /etc/ipa/ca.crt:

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
TLS: could not load verify locations (file:`/etc/ipa/ca.crt',dir:`').
TLS: error:02001002:system library:fopen:No such file or directory crypto/bio/bss_file.c:72
TLS: error:2006D080:BIO routines:BIO_new_file:no such file crypto/bio/bss_file.c:79
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib crypto/x509/by_file.c:201
Unable to set LDAP_OPT_X_TLS_NEWCTX
Unable to enable SSL in LDAP

For the case of a firewall preventing a connection at all.

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
Bind failed: Can't contact LDAP server

For a valid but incorrect CA:

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
Bind failed: Can't contact LDAP server
Comment 5 Varun Mylaraiah 2019-01-14 11:01:25 UTC 
Verified.
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64

[root@vm-idm-002 ~]# ipa-join -s vm-idm-001.testrelm1401.test -b dc=testrelm1401,dc=test -w <XXXXXXXX>
Bind failed: Can't contact LDAP server

[root@vm-idm-002 ~]# ipa-join -s vm-idm-001.testrelm1401.test -b dc=testrelm1401,dc=test -w <XXXXXXXX>
TLS: could not load verify locations (file:`/etc/ipa/ca.crt',dir:`').
TLS: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode crypto/pem/pem_lib.c:929
TLS: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib crypto/x509/by_file.c:207
Unable to set LDAP_OPT_X_TLS_NEWCTX
Unable to enable SSL in LDAP


Based on the above observation, marking the bug VERIFIED
Note You need to log in before you can comment on or make changes to this bug.