RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1788572 - ipa-client-install will fail with the following error after updating from openldap-2.4.46-9 to openldap-2.4.46-10.el8
Summary: ipa-client-install will fail with the following error after updating from ope...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openldap
Version: 8.1
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Matus Honek
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks: 1781799 1791065
TreeView+ depends on / blocked
 
Reported: 2020-01-07 14:22 UTC by Dominic Kohls
Modified: 2023-09-07 21:23 UTC (History)
6 users (show)

Fixed In Version: openldap-2.4.46-11.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1791065 (view as bug list)
Environment:
Last Closed: 2020-04-28 17:03:31 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1740070 0 unspecified CLOSED TLS setup should not fall back to matching CN if there is a SAN that does not match the server's host name 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker RHELPLAN-31978 0 None None None 2022-04-25 23:24:09 UTC
Red Hat Knowledge Base (Solution) 4783381 0 None None None 2020-02-20 12:38:09 UTC
Red Hat Product Errata RHBA-2020:1914 0 None None None 2020-04-28 17:03:37 UTC

Description Dominic Kohls 2020-01-07 14:22:00 UTC 
Description of problem:

ipa-client-install will fail with the following error after updating from openldap-2.4.46-9 to openldap-2.4.46-10.el8

Version-Release number of selected component (if applicable):

openldap-2.4.46-10.el8

How reproducible:

Update openldap package from openldap-2.4.46-9 to openldap-2.4.46-10.el8 and try to enroll a new system to Red Hat Identitiy Management / FreeIPA

Steps to Reproduce:
1. Update openldap package to openldap-2.4.46-10.el8
2. Enroll a new system to Red Hat IDM / FreeIPA
3. Check ipaclient-install.log

Actual results:

Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9

Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

/var/log/ipaclient-install.log

2020-01-07T14:18:12Z INFO Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  2016-05-24 12:26:54
    Valid Until: 2036-05-24 12:26:54

2020-01-07T14:18:12Z DEBUG Starting external process
2020-01-07T14:18:12Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'IPA-SERVER', '-b', 'dc=DOMAIN,dc=LOCAL', '-h', 'FQDN', '-f']
2020-01-07T14:18:13Z DEBUG Process finished, return code=9
2020-01-07T14:18:13Z DEBUG stdout=
2020-01-07T14:18:13Z DEBUG stderr=Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9



Expected results:

System should be enrolled successfully to Red Hat IDM /FreeIPA

Additional info:

Installed Red Hat IDM / FreeIPA Version:

ipa-server-4.6.4-10.el7_6.6.x86_64
ipa-server-common-4.6.4-10.el7_6.6.noarc
Comment 1 Matus Honek 2020-01-07 15:00:04 UTC 
Hello,

I am assuming the regression in your case really comes from a change in OpenLDAP. The only change that was introduced in the respective update was a fix for bug 1740070. That means it is more strict when it comes to hostname checking wrt. CN and SAN -- now, unlike before, if checking against certificate-provided SANs fails (i.e. no match) the subsequent checking against CN is not done any more and the entire checking is considered to have failed. Therefore, in your case I would check the certificates you use to see if they satisfy this new condition.

HTH,
Matus
Comment 2 Dominic Kohls 2020-01-08 08:13:57 UTC 
Hello Matus,

thank you very much for the explanation and your quick response. 

We are using the default selfsigned SSL-Certificate which will be generated when you install FreeIPA/Red Hat IDM.

Ive checked the certificates and couldn't find any SAN-entries, the provided CN matches the FQDN of the host.

openssl s_client does not show any error messages when connecting with starttls, the response shows Verification: OK

Is the SAN-Entry in the Certificate mandatory now? 


Best regards,
Dominic
Comment 4 Christian Heimes 2020-01-10 16:22:40 UTC 
Dominic, does your LDAP server cert contain a Subject Alt Name (SAN) extension of type otherName or any other type?
Comment 5 Dominic Kohls 2020-01-13 08:53:48 UTC 
Hi Christian,

unfortunately the default self-signed certificate does not contain any SAN extensions :-( 

Best regards,
Dominic
Comment 9 Christian Heimes 2020-01-14 16:53:24 UTC 
(In reply to Dominic Kohls from comment #5)
> Hi Christian,
> 
> unfortunately the default self-signed certificate does not contain any SAN
> extensions :-( 

Could you please show us the output of "sudo certutil -d /etc/dirsrv/slapd-IPA-EXAMPLE/ -L -n Server-Cert"? Replace "IPA-EXAMPLE" with your REALM.
Comment 12 Christian Heimes 2020-01-14 20:39:14 UTC 
Patch is attached to parent bug #1788572
Comment 13 Dominic Kohls 2020-01-15 07:52:46 UTC 
Hi Christian,

please find the requested certificate below.


[root@FQDN ~]# certutil -d /etc/dirsrv/slapd-EXAMPLE.COM/ -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 21 (0x15)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
        Validity:
            Not Before: Fri Apr 27 17:19:20 2018
            Not After : Mon Apr 27 17:19:20 2020
        Subject: "CN=FQDN.EXAMPLE.COM,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b6:5b:67:98:f0:d1:61:ef:30:da:0d:07:01:d6:13:5d:
                    fb:08:05:df:6c:75:40:d9:47:5d:2c:95:18:a7:b6:77:
                    33:2a:1a:a7:18:c3:c6:0f:2b:5a:90:b9:b5:8e:fe:19:
                    f1:58:3c:6f:ad:48:f5:bb:22:cb:b7:6d:18:6d:f7:5b:
                    4f:ca:95:c5:f8:d0:4e:4b:2d:2c:02:01:7f:cb:f4:f2:
                    dd:13:3d:d2:8e:21:dc:57:4b:05:7d:29:89:d5:55:03:
                    51:b5:eb:30:65:43:ad:1a:48:5d:cb:e3:b0:a6:03:6e:
                    22:fb:e2:48:8c:0a:d2:29:82:72:59:3e:9a:52:f8:27:
                    6a:df:90:20:5d:cc:8e:57:aa:71:ba:b1:14:03:36:39:
                    46:88:e9:97:36:8e:eb:33:13:c9:f6:11:59:cc:37:1d:
                    de:7c:a2:6b:d9:f5:ed:cb:d7:c0:4c:e6:28:7a:37:42:
                    27:d4:04:b6:f2:0b:f4:ab:d4:77:e3:00:e4:10:84:33:
                    24:5a:52:68:92:28:97:a8:31:57:c5:f7:d6:94:f3:7d:
                    fd:8f:b8:16:23:ea:52:e2:37:7d:2b:b9:0d:c2:b5:fc:
                    10:49:aa:45:f2:41:ec:db:68:d6:02:6f:4a:0e:23:02:
                    f3:9a:82:11:06:5a:26:8c:25:d7:e6:13:b8:f2:8b:69
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                1b:2f:6d:48:1c:53:7e:60:46:a3:34:aa:a3:1d:8a:9a:
                41:21:d0:46

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ipa-ca.EXAMPLE.COM/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ipa-ca.EXAMPLE.COM/ipa/crl/MasterCRL
                    .bin"
                CRL issuer:
                    Directory Name: "CN=Certificate Authority,O=ipaca"

            Name: Certificate Subject Key ID
            Data:
                66:47:8b:9f:35:06:f8:a3:05:be:05:5b:59:42:33:ce:
                e6:f6:44:ae

            Name: Certificate Subject Alt Name
            Other Name: "ldap/FQDN.EXAMPLE.COM"
                OID: Microsoft NT Principal Name
            Other Name: Sequence {
                [0]: {
                    1b:17:43:4f:4d:50:55:54:41:43:45:4e:54:45:52:2d:
                    4d:44:53:2e:4c:4f:43:41:4c
                }
                [1]: {
                    Sequence {
                        [0]: {
                            1 (0x1)
                        }
                        [1]: {
                            Sequence {
                                1b:04:6c:64:61:70
                                1b:27:63:63:64:65:66:66:6d:69:73:70:30:31:6c:
                                64:70:2e:63:6f:6d:70:75:74:61:63:65:6e:74:65:
                                72:2d:6d:64:73:2e:6c:6f:63:61:6c
                            }
                        }
                    }
                }
            }
                OID: OID.1.3.6.1.5.2.2

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        7e:51:29:92:82:40:3d:86:de:16:47:08:d0:ac:14:da:
        92:05:48:7a:5e:06:43:23:82:14:7e:55:d9:f7:1a:5b:
        dc:c9:71:d5:a9:07:3b:1f:eb:5b:0c:ff:3f:96:ee:bb:
        16:9f:06:f4:7b:3f:3b:af:0d:6e:ed:48:a5:99:dc:8f:
        10:51:72:1c:03:64:30:04:8e:53:71:8d:80:ca:7f:cb:
        54:19:65:d5:63:9e:25:e3:29:d7:59:2f:33:e8:ee:0a:
        b2:c2:38:a6:c4:63:2a:56:98:bf:ab:99:86:fa:11:51:
        9a:ff:77:f3:37:6d:f0:66:8a:69:f1:4b:1f:b1:64:3b:
        39:bb:be:5e:5f:d1:f0:42:ec:3e:f7:c1:16:c9:13:cd:
        0b:dd:c9:c8:d1:8f:ed:ab:1d:21:68:f5:34:43:0f:5e:
        ef:82:b8:9a:23:b2:6c:bf:86:a4:82:06:63:38:a9:03:
        90:81:2d:d4:8e:7a:af:3e:8c:f7:b4:e3:b4:c3:dd:51:
        4d:eb:57:7b:87:27:9b:e7:3c:c9:12:cf:93:c4:4e:68:
        75:42:a9:4a:56:d5:04:08:75:e7:9e:24:6d:e0:91:a5:
        3d:a8:fa:1e:fd:ec:b7:fb:2a:2f:27:1b:43:d6:9c:28:
        0c:4f:2a:4b:a3:5e:aa:57:fd:e5:61:e7:a8:76:4c:02
    Fingerprint (SHA-256):
        13:F8:7C:4B:77:E0:5E:5B:3E:BD:CC:E6:07:76:30:15:00:43:BF:6E:BE:DF:BF:2B:75:90:9E:76:E9:42:8F:E8
    Fingerprint (SHA1):
        2B:79:6C:F2:E7:CA:A2:1E:75:05:84:6D:89:0F:93:A7:84:04:CE:B9

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
Comment 14 Christian Heimes 2020-01-15 09:32:49 UTC 
Thanks Dominic!

your certificate has two SAN entries of type "other name" and no entry of type "DNS name". That's exactly the same issue as in the other cases. This scenario will be fixed by our patch.

Matus and I were worried that your case might be different than the other cases. We wanted to be sure that we address your problem as well.
Comment 15 Dominic Kohls 2020-01-15 10:16:06 UTC 
Hi Christian,

thank you for the explanation! 

In comment 5 I checked the certificate with openssl s_client and just saw the following entries which made me think there are no SAN entries set.

            X509v3 Subject Alternative Name:
                othername:<unsupported>, othername:<unsupported>


Many thanks for all your work!
Comment 16 Christian Heimes 2020-01-15 10:45:44 UTC 
The SAN extension can handle more than just DNS names and IP addresses. The "other name" type is a kind of application defined, custom extension. OpenSSL has no code to print SAN general names of type "other name".

Here is the definition from https://tools.ietf.org/html/rfc3280#section-4.2.1.7

   id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

   SubjectAltName ::= GeneralNames

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER }

   OtherName ::= SEQUENCE {
        type-id    OBJECT IDENTIFIER,
        value      [0] EXPLICIT ANY DEFINED BY type-id }

   EDIPartyName ::= SEQUENCE {
        nameAssigner            [0]     DirectoryString OPTIONAL,
        partyName               [1]     DirectoryString }
Comment 22 errata-xmlrpc 2020-04-28 17:03:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1914
Note You need to log in before you can comment on or make changes to this bug.