RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1998016 - RA key import failing during pki instance creation on RHEL9.0 replica from RHEL8.4 server
Summary: RA key import failing during pki instance creation on RHEL9.0 replica from RH...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: pki-core
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact: PKI QE
URL:
Whiteboard:
Depends On:
Blocks: 2032806
TreeView+ depends on / blocked
 
Reported: 2021-08-26 09:37 UTC by Kaleem
Modified: 2022-05-17 12:56 UTC (History)
14 users (show)

Fixed In Version: pki-core-11.0.1-3.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 12:41:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:
ckelley: needinfo-
ckelley: needinfo-
ckelley: needinfo-
ckelley: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCS-2648 0 None None None 2021-12-02 07:56:27 UTC
Red Hat Issue Tracker RHELPLAN-95282 0 None None None 2021-08-26 09:39:22 UTC
Red Hat Product Errata RHBA-2022:2376 0 None None None 2022-05-17 12:41:54 UTC

Description Kaleem 2021-08-26 09:37:08 UTC 
Description of problem:

RA key import failing during PKI instance creation..

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: creating certificate server db
  [2/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded

  [3/29]: creating ACIs for admin
  [4/29]: creating installation admin user
  [5/29]: configuring certificate server instance
  [6/29]: stopping certificate server instance to update CS.cfg
  [7/29]: backing up CS.cfg
  [8/29]: Add ipa-pki-wait-running
  [9/29]: secure AJP connector
  [10/29]: reindex attributes
  [11/29]: exporting Dogtag certificate store pin
  [12/29]: disabling nonces
  [13/29]: set up CRL publishing
  [14/29]: enable PKIX certificate path discovery and validation
  [15/29]: authorizing RA to modify profiles
  [16/29]: authorizing RA to manage lightweight CAs
  [17/29]: Ensure lightweight CAs container exists
  [18/29]: destroying installation admin user
  [19/29]: starting certificate server instance
  [20/29]: Finalize replication settings
  [21/29]: configure certmonger for renewals
  [22/29]: Importing RA key
Error storing key "keys/ra/ipaCert": CalledProcessError(Command ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] returned non-zero exit status 1: 'Traceback (most recent call last):\n  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in <module>\n    main(ra_agent_parser())\n  File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line 114, in main\n    common.main(parser, export_key, import_key)\n  File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line 73, in main\n    func(args, tmpdir, **kwargs)\n  File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line 69, in import_key\n    ipautil.run(cmd, umask=0o027)\n  File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n    raise CalledProcessError(\nipapython.ipautil.CalledProcessError: CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', \'/tmp/tmp04xw30vu/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', \'/var/lib/ipa/ra-agent.pem\', \'-password\', \'file:/tmp/tmp04xw30vu/passwd\'] returned non-zero exit status 1: \'Error outputting keys and certificates\\n007CB411E27F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n')
  [error] FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

[Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key'
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information


Version-Release number of selected component (if applicable):
[root@replica ~]# rpm -q ipa 389-ds-base pki-ca
package ipa is not installed
389-ds-base-2.0.8-1.el9.x86_64
pki-ca-11.0.0-0.4.alpha1.el9.noarch
[root@replica ~]#

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL8.4 IPA master
2. Install RHEL9.0 IPA replica against RHEL8.4 IPA server
3.

Actual results:
Replica install fails during pki instance creation

Expected results:
Replica install should be successful
Comment 2 François Cami 2021-08-26 12:30:11 UTC 
Taking as I'm investigating this.
Comment 3 François Cami 2021-08-26 18:31:14 UTC 
Reproduced. 
This is similar to https://github.com/dogtagpki/pki/pull/3590.
Comment 19 Alexander Bokovoy 2021-12-15 09:56:47 UTC 
So my thinking is that there are two parts here:

 - pki-core fix in bug 1998016 is required but not enough. It only fixes the first step -- when RA Agent file is generated, it is no longer encrypted with a legacy cipher

 - IPA needs to drop encryption of existing RA Agent file generated with older PKI version _before_ submitting it to replica via Custodia. This will be handled via bug 2032806.

For RHCS, I think, this is also valid, so some sort of a way to handle upgrade would be needed if RHCS supports in-place upgrade from RHEL 8 to RHEL 9.
Comment 24 Jack Magne 2022-02-08 00:51:38 UTC 
I've followed this issue to the other ipa bug referenced which seems to be resolved:   bug 2032806.

The question is there more to be done from the pki side for this?

The following irc trace was provided to me by edewata:


[Friday, February 4, 2022] [8:58:21 AM CST] <cheimes> ab / ckelley: I just finish running some tests. The ca-agent.p12 file uses a weak, problematic encryption algo.
[Friday, February 4, 2022] [8:58:36 AM CST] <cheimes> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 600000
[Friday, February 4, 2022] [8:58:40 AM CST] Nick vvanhaft is now known as vvanhaft|afk.
[Friday, February 4, 2022] [8:58:59 AM CST] <cheimes> cacert.p12 is better: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA1
[Friday, February 4, 2022] [8:59:26 AM CST] <cheimes> Tested on RHEL 8.5 with pki-ca-10.11.2-2.module+el8.5.0+12735+8eb38ccc
[Friday, February 4, 2022] [9:00:15 AM CST] <ckelley> cheimes: yeah the stripping out of SHA-1 in pki-core/jss went in after the 9.0 branching so there is probably a lot of that sort of thing happening.
[Friday, February 4, 2022] [9:00:31 AM CST] <cheimes> http://pastebin.test.redhat.com/1027132
[Friday, February 4, 2022] [9:00:45 AM CST] <cheimes> 3DES is more of a problem


I was wondering if it has been isolated as to what command is being called from pkispawn to isolate this issue, or is it some test program that is the issue? If so it would be great to attempt to trace down what piece of code is allegedly using DES3 as reported here. thanks
Comment 32 errata-xmlrpc 2022-05-17 12:41:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: pki-core), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2376
Note You need to log in before you can comment on or make changes to this bug.