RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1892216 - openjdk z-stream broke freeipa installation
Summary: openjdk z-stream broke freeipa installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: java-1.8.0-openjdk
Version: 8.2
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Andrew John Hughes
QA Contact: OpenJDK QA
URL:
Whiteboard:
: 1892515 1892555 1895677 (view as bug list)
Depends On: 1895060
Blocks: 1893757 1893758 1960547
TreeView+ depends on / blocked
 
Reported: 2020-10-28 08:25 UTC by Michele Baldessari
Modified: 2024-03-25 16:50 UTC (History)
32 users (show)

Fixed In Version: java-1.8.0-openjdk-1.8.0.272.b10-6.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1893757 1893758 1904098 1960547 (view as bug list)
Environment:
Last Closed: 2021-05-18 15:31:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5527751 0 None None None 2020-10-29 13:37:22 UTC
openjdk bug system JDK-8223940 0 None None None 2020-10-30 03:56:27 UTC

Description Michele Baldessari 2020-10-28 08:25:59 UTC 
Description of problem:
(Not sure this has already been reported, our searching failed us miserably. Apologies if we missed the existing BZ) 
 
Luca Miccini noticed that our CI stated failing two days ago and he diagnosed the issue to be related to a jdk zstream.
 
Our starting point in terms of rpm versions is the following (this is RHEL-8.2):
[root@freeipa-0 ~]# rpm -qa |grep -e openjdk -e ipa -e pki 
redhat-logos-ipa-81.1-1.el8.noarch
python3-pki-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
pki-tools-10.8.3-2.module+el8.2.0+6294+b7db4606.x86_64
ipa-client-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64
ipa-server-dns-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
java-1.8.0-openjdk-headless-1.8.0.272.b10-1.el8_2.x86_64
ipa-common-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
java-1.8.0-openjdk-devel-1.8.0.272.b10-1.el8_2.x86_64
python3-libipa_hbac-2.2.3-20.el8.x86_64
sssd-ipa-2.2.3-20.el8.x86_64
ipa-healthcheck-core-0.4-4.module+el8.2.0+5489+95477d9f.noarch
pki-base-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
krb5-pkinit-1.17-18.el8.x86_64
pki-symkey-10.8.3-2.module+el8.2.0+6294+b7db4606.x86_64
pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
pki-base-java-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
pki-server-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
pki-kra-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
ipa-server-common-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
python3-ipaclient-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
python3-ipaserver-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64
ipa-client-common-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2.x86_64
libipa_hbac-2.2.3-20.el8.x86_64
python3-ipalib-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch
pki-ca-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
 
[root@freeipa-0 tmp]# date && ./freeipa_setup.sh
Wed Oct 28 04:00:50 EDT 2020
 
This will fail with:
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmprm0e_2s6'] returned non-zero exit status 1: 'Notice: Trust flag
 u is set automatically if the private key is present.\nERROR: Exception: Server unreachable due to SSL error: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\
n  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.6/site-packages/pki/server/depl
oyment/scriptlets/configuration.py", line 836, in spawn\n    request_timeout=status_request_timeout,\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelpe
r.py", line 911, in wait_for_startup\n    raise Exception(\'Server unreachable due to SSL error: %s\' % reason) from exc\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
 
This started failing with the new openjdk package. When downgrading it, everything works again.
java-1.8.0-openjdk-1:1.8.0.272.b10-1.el8_2.x86_64 -> Breaks FreeIPA install
java-1.8.0-openjdk-devel-1:1.8.0.265.b01-0.el8_2.x86_64 -> Works correctly with FreeIPA install
 
After downgrading the package with:
if rpm -q --queryformat '%{version}' java-1.8.0-openjdk |grep "1.8.0.272"; then dnf downgrade -y java-1.8.0-openjdk java-1.8.0-openjdk-headless; fi
 
The installation of freeipa proceeded normally (java-1.8.0-openjdk-1.8.0.265.b01-0.el8_2.x86_64 is what we downgraded to):
...
Client configuration complete.
The ipa-client-install command was successful
 
==============================================================================
Setup complete
...
 
Log files/sosreports can be found here:                                                                                                                                                              
http://file.rdu.redhat.com/~mbaldess/freeipa-jdk-bz/
Comment 1 Alexander Bokovoy 2020-10-28 08:35:06 UTC 
The fix should really be in openjdk. We've seen this multiple times in Fedora as well.
Comment 4 Alexander Bokovoy 2020-10-29 06:41:18 UTC 
*** Bug 1892515 has been marked as a duplicate of this bug. ***
Comment 5 Alexander Bokovoy 2020-10-29 07:40:57 UTC 
*** Bug 1892555 has been marked as a duplicate of this bug. ***
Comment 30 ferryw 2020-11-03 11:28:41 UTC 
Downgrading on CentOS8 doesn't work. It produces an error: lowest version already installed, cannot downgrade it

Is there some reason why this solution would work on RHEL, but not on CentOS?
Comment 45 Alexander Bokovoy 2020-11-06 08:54:20 UTC 
(In reply to Andrew John Hughes from comment #43)
> > 
> > I don't quite understand. Is it a bug in OpenJDK or FreeIPA?
> > 
> 
> It's both :-)
> 
> The initial bug is in FreeIPA. It claims to implement the type
> RSAPrivateKey, but it only returns null for the only method of that type,
> getPrivateExponent(). 

Just to correct: there are two bugs: one in OpenJDK, one in JSS library used by Dogtag.

Neither requires changes in FreeIPA itself -- Dogtag is FreeIPA's dependency but FreeIPA itself doesn't use JSS.
Comment 46 Andrew John Hughes 2020-11-06 09:01:18 UTC 
Right.

In testing, the client is requesting:

"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha224, ecdsa_sha1, rsa_sha224, rsa_pkcs1_sha1, dsa_sha224, dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512]

The first ones are inapplicable because an RSA key is being used ("sslserver private or public key is not of EC algorithm").

So it tries rsa_pss_pss_sha256.

With the JSS bug, this crashes.

If the JSS bug is fixed, the key is rejected by rsa_pss_pss_sha256 but OpenJDK does not try any of the others.

With the OpenJDK bug fixed, rsa_pkcs1_sha256 will be used.
Comment 51 Michele Baldessari 2020-11-08 10:38:01 UTC 
*** Bug 1895677 has been marked as a duplicate of this bug. ***
Comment 60 errata-xmlrpc 2021-05-18 15:31:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1795
Comment 61 Red Hat Bugzilla 2023-09-15 00:50:15 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.