Bug 818844 - MozNSS CA cert dir does not work together with PEM CA cert file
MozNSS CA cert dir does not work together with PEM CA cert file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.3
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: Jan Vcelak
BaseOS QE Security Team
:
Depends On: 818723
Blocks: 819536
  Show dependency treegraph
 
Reported: 2012-05-04 03:36 EDT by Martin Kosek
Modified: 2014-06-16 09:37 EDT (History)
10 users (show)

See Also:
Fixed In Version: openldap-2.4.23-26.el6
Doc Type: Bug Fix
Doc Text:
- TLS_CACERTDIR set to Mozilla NSS certificate database, TLS_CACERT set to PEM bundle with CA certificates, connecting to remote LDAP server with TLS enabled - certificates from PEM bundle were not loaded, validation of remote certificate failed if the signing CA certificate was present only in PEM CA bundle specified by TLS_CACERT - patch applied to allow loading of CA certificates from PEM bundle file, if Mozilla NSS certificate database is set up as well - in the described situation, CA certificates from both Mozilla NSS certificate database and PEM bundle are available, so the validation would proceed as expected
Story Points: ---
Clone Of: 818723
: 819536 (view as bug list)
Environment:
Last Closed: 2012-06-20 03:32:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2012-05-04 03:36:31 EDT
+++ This bug was initially created as a clone of Bug #818723 +++

Description of problem:

Install latest RHEL 6.3 distro with openldap-clients-2.4.23-25.el6.

Install ipa-server, uninstall ipa-server and re-install ipa-server.

Server install will fail on installing and configuring the ipa client.

openldap-clients now uses NSS cert db

# ls /etc/openldap/certs/
cert8.db  key3.db  password  secmod.db


If you move these files, and try again .. client install is successful.

<snip>

Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server dhcp-186-52.testrelm.com --realm TESTRELM.COM --hostname dhcp-186-52.testrelm.com' returned non-zero exit status 1

</snip>

Client install log ::

{{{

2012-05-03T19:34:59Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-05-03T19:34:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2012-05-03T19:34:59Z DEBUG [ipadnssearchkrb]
2012-05-03T19:34:59Z DEBUG [ipacheckldap]
2012-05-03T19:34:59Z DEBUG args=/usr/bin/wget -O /tmp/tmpBXaaZ0/ca.crt -T 15 -t 2 http://dhcp-186-52.testrelm.com/ipa/config/ca.crt
2012-05-03T19:34:59Z DEBUG stdout=
2012-05-03T19:34:59Z DEBUG stderr=--2012-05-03 15:34:59--  http://dhcp-186-52.testrelm.com/ipa/config/ca.crt
Resolving dhcp-186-52.testrelm.com... 10.16.186.52
Connecting to dhcp-186-52.testrelm.com|10.16.186.52|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1325 (1.3K) [application/x-x509-ca-cert]
Saving to: “/tmp/tmpBXaaZ0/ca.crt”

     0K .                                                     100%  158M=0s

2012-05-03 15:34:59 (158 MB/s) - “/tmp/tmpBXaaZ0/ca.crt” saved [1325/1325]


2012-05-03T19:34:59Z DEBUG Init ldap with: ldap://dhcp-186-52.testrelm.com:389
2012-05-03T19:34:59Z ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
2012-05-03T19:34:59Z DEBUG will use domain: testrelm.com

2012-05-03T19:34:59Z DEBUG will use server: dhcp-186-52.testrelm.com

}}}


Version-Release number of selected component (if applicable):
ipa-client-2.2.0-12.el6.i686
ipa-server-2.2.0-12.el6.i686
openldap-clients-2.4.23-25.el6.i686

How reproducible:


Steps to Reproduce:
1. install latest 6.3 distro 
2. install ipa-server
3. uninstall ipa-server
4. install ipa-server
  
Actual results:
re-install of ipa-server fails on install and config of the ipa-client

Expected results:
successful installation

Additional info:

--- Additional comment from jvcelak@redhat.com on 2012-05-03 17:21:07 EDT ---

We set TLS_CACERTDIR to /etc/openldap/certs in ldap.conf with default openldap installation. This change was introduced as a fix for bug #742023. This might be the cause.

--- Additional comment from mkosek@redhat.com on 2012-05-04 03:35:41 EDT ---

Together with Jan Vcelak I investigated this issue in ipa-client-install. The issue only occurs when the new openldap nss db is set in TLS_CACERTDIR configuration option. When its commented out in /etc/openldap/ldap.conf or

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "")

is added to the LDAP connection initialization in ipa-client-install, the installation works OK. The second change can be used as a workaround until the issue in openldap is fixed.
Comment 1 Jan Vcelak 2012-05-04 04:03:18 EDT
When TLS_CACERTDIR is set and valid, TLS_CACERT setting is skipped.
Comment 14 Jan Vcelak 2012-05-07 14:21:57 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- TLS_CACERTDIR set to Mozilla NSS certificate database, TLS_CACERT set to PEM bundle with CA certificates, connecting to remote LDAP server with TLS enabled
- certificates from PEM bundle were not loaded, validation of remote certificate failed if the signing CA certificate was present only in PEM CA bundle specified by TLS_CACERT
- patch applied to allow loading of CA certificates from PEM bundle file, if Mozilla NSS certificate database is set up as well
- in the described situation, CA certificates from both Mozilla NSS certificate database and PEM bundle are available, so the validation would proceed as expected
Comment 16 errata-xmlrpc 2012-06-20 03:32:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0899.html

Note You need to log in before you can comment on or make changes to this bug.