Bug 1658316 - RFE: Validation and better error messages when novajoin fails because of SSL errors
Summary: RFE: Validation and better error messages when novajoin fails because of SSL ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
: 1637719 (view as bug list)
Depends On: 1636634 1637717
Blocks: 1637719
TreeView+ depends on / blocked
 
Reported: 2018-12-11 18:04 UTC by Thomas Woerner
Modified: 2019-06-14 00:45 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1637717
Environment:
Last Closed: 2019-06-14 00:45:56 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Comment 3 Thomas Woerner 2018-12-18 10:23:41 UTC
*** Bug 1637719 has been marked as a duplicate of this bug. ***

Comment 4 Rob Crittenden 2019-01-11 13:21:41 UTC
You can verify by calling ipa-join directly.

Current RHEL-7.6:

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
Incorrect password.

Note that this happens even without /etc/ipa/ca.crt which is required to do the connection. You can put an otherwise valid but not correct for the remote IPA CA into that file and you'll get the same error. You'll get the same message if the firewall on the IPA master is not configured to allow the connection.

On the other hand with the fix you should see something more relevant.

For the case of no /etc/ipa/ca.crt:

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
TLS: could not load verify locations (file:`/etc/ipa/ca.crt',dir:`').
TLS: error:02001002:system library:fopen:No such file or directory crypto/bio/bss_file.c:72
TLS: error:2006D080:BIO routines:BIO_new_file:no such file crypto/bio/bss_file.c:79
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib crypto/x509/by_file.c:201
Unable to set LDAP_OPT_X_TLS_NEWCTX
Unable to enable SSL in LDAP

For the case of a firewall preventing a connection at all.

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
Bind failed: Can't contact LDAP server

For a valid but incorrect CA:

# ipa-join -s ipa.example.test -b dc=exaample,dc=test -w XXXXXXXX
TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
Bind failed: Can't contact LDAP server

Comment 5 Varun Mylaraiah 2019-01-14 11:01:25 UTC
Verified.
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64

[root@vm-idm-002 ~]# ipa-join -s vm-idm-001.testrelm1401.test -b dc=testrelm1401,dc=test -w <XXXXXXXX>
Bind failed: Can't contact LDAP server

[root@vm-idm-002 ~]# ipa-join -s vm-idm-001.testrelm1401.test -b dc=testrelm1401,dc=test -w <XXXXXXXX>
TLS: could not load verify locations (file:`/etc/ipa/ca.crt',dir:`').
TLS: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode crypto/pem/pem_lib.c:929
TLS: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib crypto/x509/by_file.c:207
Unable to set LDAP_OPT_X_TLS_NEWCTX
Unable to enable SSL in LDAP


Based on the above observation, marking the bug VERIFIED


Note You need to log in before you can comment on or make changes to this bug.