Bug 1777611 - sanity check the environment for proxy configuration so that proxy configuration does not cause installation to fail.
Summary: sanity check the environment for proxy configuration so that proxy configurat...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.1
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-28 00:32 UTC by Glen Babiano
Modified: 2023-08-14 05:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 5555 0 None None None 2020-01-09 13:39:15 UTC
Red Hat Issue Tracker FREEIPA-7164 0 None None None 2021-10-25 18:11:52 UTC
Red Hat Issue Tracker RHELPLAN-32160 0 None None None 2021-10-25 18:11:51 UTC

Description Glen Babiano 2019-11-28 00:32:20 UTC 
Description of problem:
IHAC, who wants to raise an RFE to improve error messages to make it easier to pinpoint the issue for anyone who will be in the same situation in the future. Here's the customer's observation and recommendation:
-----
So, I went digging thru source code to see what is IPA trying to do - at that stage it wanted to establish https connection towards Master using python-request module. It occurred to me, that system have http&https proxy configured in /etc/environment. When I unset this proxy, installation of replica was successful. 

So, apparently, when request module failed to connect to master thru http/https, it threw "SSL verification failed" which is misleading. Proxy replied with another CA certificate so error should say something like "Certificate mismatch" - client already downloaded IPA CA certificate to trusted CA repository. Also, proxy reply came from other IP than IPA master, so maybe some check for http/s traffic hijack could be also a good to implement.
-----

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.7
ipa-server-4.6.5-11

How reproducible:
Always

Actual results:
# ipa-replica-install --password 'random_password' --server idm.example.com --domain example.com --setup-dns --setup-ca --no-forwarder

ipapython.admintool: DEBUG    The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR    [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected results:
ipa-replica-install should perform a sanity check of the environment for proxy configuration, or scrub the environment so that proxy configuration does not cause installation to fail.

Additional info:
Frase Tweedal has the following suggestion in idm-tech mailing list:

Please file the RFE, but I think rather than change the error message, it should be to either sanity check the environment for proxy configuration, or scrub the environment so that proxy configuration does not cause installation to fail.

I don't think there's much we can do about the error message - certificate mismatch is what is causing the SSL/TLS verification failure. Most of the time a TLS library does not distinguish these cases.
Comment 3 Christian Heimes 2020-01-09 13:39:15 UTC 
There is an existing upstream ticket for the problem, https://pagure.io/freeipa/issue/5555
Note You need to log in before you can comment on or make changes to this bug.