Description of problem: 1] Customer want to install ipa on rhel8.4 by using update-crypto-policies --set FUTURE. 2] Though we know that This level also provides some (not complete) preparation for post-quantum encryption support in form of 256-bit symmetric encryption requirement. The RSA and Diffie-Hellman parameters are accepted if larger than 3071 bits. The level provides at least 128-bit security. 3] so we have tried to set /root/pki_override.cfg [CA] pki_admin_key_size = 4096 pki_admin_keysize = 4096 pki_audit_signing_key_size = 4096 pki_ca_signing_key_size = 4096 pki_ocsp_signing_key_size = 4096 pki_ssl_server_key_size = 4096 pki_sslserver_key_size = 4096 pki_storage_key_size = 4096 pki_subsystem_key_size = 4096 pki_transport_key_size = 4096 and pass it to ipa-server-install via --pki-config-override /root/pki_override.cfg After that it will fail on the last remaining key that is being created as 2048 which is /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem Version-Release number of selected component (if applicable): IPA Version: ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64 Pki Version: pki-ca-10.10.5-3.module+el8.4.0+11039+635979e4.noarch How reproducible: Steps to Reproduce: 1.ipa-server-install fails on the below given error During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1945, in import_included_profiles conn.get_entry(dn) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1642, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1454, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1592, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1095, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') ipalib.errors.NotFound: no such entry During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request conn = connection_factory(host, port, **connection_options) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory tls_version_max=api.env.tls_version_max) File "/usr/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection ctx.load_cert_chain(client_certfile, client_keyfile, passwd) ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) <<<<<========== During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request conn = connection_factory(host, port, **connection_options) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory tls_version_max=api.env.tls_version_max) File "/usr/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection ctx.load_cert_chain(client_certfile, client_keyfile, passwd) ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) <<<=========== During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1959, in import_included_profiles _create_dogtag_profile(profile_id, profile_data, overwrite=True) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2127, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request raise NetworkError(uri=uri, error=str(e)) ipalib.errors.NetworkError: cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) <<<<================= 2021-06-15T18:09:37Z DEBUG [error] NetworkError: cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) 2021-06-15T18:09:37Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2021-06-15T18:09:37Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() And finally it failed at File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request raise NetworkError(uri=uri, error=str(e)) 2021-06-15T18:09:37Z DEBUG The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) 2021-06-15T18:09:37Z ERROR cannot connect to 'https://idm.test.example.com:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) 2021-06-15T18:09:37Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information 2. 3. Actual results: Ipa installation is failing with --pki-config-override option Expected results: Ipa should install via --pki-config-override /root/pki_override.cfg Additional info:
If it breaks on re-issuance of RA cert, then it might be because of the defaults in certmonger. When there is no 'key-size' specified in the request, it uses own default values for RSA/DSA/EC keys. It uses 2048 as the default public key size unless redefined when certmonger is compiled and 512 for the minimum RSA private key size. RA cert request in IPA during the installation does not define any additional properties and instead rely on the defaults. I guess this is what happens here -- since pki override options only apply to the CA, certmonger does not know about those and does not have any way to use them other than IPA forcing those options through the request settings. Which we don't do in this case. At the point of a failure in the description we are trying to import CA profiles IPA maintains in its tree. We use RA cert key to perform authentication to the CA end-point and that fails to work because it is 2048 bit long and expectation is to be at least 3071-bit long due to FUTURE policy. A possible solution would be to extend ipalib/install/certmonger.py:request_cert() to allow adding key-size/key-type passage. We have this already in resubmit_request() but not in the request_cert(). Rob, does my analysis above match certmonger's logic?
You are correct. Another idea I've been mulling is making the default key size in certmonger configurable instead of built in. This would be independent of IPA and doing that work is probably a good idea either way.
Hi, || Another idea I've been mulling is making the default key size in certmonger configurable instead of built in. This would be independent of IPA and doing that work is probably a good idea either way. Could you please provide as an example to set the default key size in certmonger
The certmonger default key size is currently determined at build time, so hardcoded. The only way to change it is to rebuild the package
FWIW I opened an issue upstream against certmonger to make the default RSA key size configurable, https://pagure.io/certmonger/issue/211 I think that IPA should also make it possible internally to select the key size.