Bug 864533 – Forbidden access to IPA published CRL

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 864533 - Forbidden access to IPA published CRL

Summary:	Forbidden access to IPA published CRL

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-10-09 10:12 EDT by Dmitri Pal
Modified:	2013-02-21 04:27 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	ipa-3.0.0-5.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:27:59 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 03:22:21 EST

Groups: None (edit)

Description Dmitri Pal 2012-10-09 10:12:52 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3144

`/var/lib/pki-ca/` does not have the right permissions after `ipa-server-install`, so published CRL cannot be downloaded:


# ipa-server-install -p kokos123 -a kokos123 --setup-dns --forwarder 10.16.255.2
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [vm-120.idm.lab.bos.redhat.com]: 

Warning: skipping DNS resolution of host vm-120.idm.lab.bos.redhat.com
The domain name has been determined based on the host name.

Please confirm the domain name [idm.lab.bos.redhat.com]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [IDM.LAB.BOS.REDHAT.COM]: 
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [78.16.10.in-addr.arpa.]: 
Using reverse zone 78.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      vm-120.idm.lab.bos.redhat.com
IP address:    10.16.78.120
Domain name:   idm.lab.bos.redhat.com
Realm name:    IDM.LAB.BOS.REDHAT.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.16.255.2
Reverse zone:  78.16.10.in-addr.arpa.

Continue to configure the system with these values? [no]: y

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: creating pki-ca instance
  [3/20]: configuring certificate server instance
  [4/20]: disabling nonces
  [5/20]: creating CA agent PKCS#12 file in /root
  [6/20]: creating RA agent certificate database
  [7/20]: importing CA chain to RA certificate database
  [8/20]: fixing RA database permissions
  [9/20]: setting up signing cert profile
  [10/20]: set up CRL publishing
  [11/20]: set certificate subject base
  [12/20]: enabling Subject Key Identifier
  [13/20]: configuring certificate server to start on boot
  [14/20]: restarting certificate server
  [15/20]: requesting RA certificate from CA
  [16/20]: issuing RA agent certificate
  [17/20]: adding RA agent as a trusted user
  [18/20]: configure certificate renewals
  [19/20]: configure Server-Cert certificate renewal
  [20/20]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
  [1/36]: creating directory server user
  [2/36]: creating directory server instance
  [3/36]: adding default schema
  [4/36]: enabling memberof plugin
  [5/36]: enabling winsync plugin
  [6/36]: configuring replication version plugin
  [7/36]: enabling IPA enrollment plugin
  [8/36]: enabling ldapi
  [9/36]: configuring uniqueness plugin
  [10/36]: configuring uuid plugin
  [11/36]: configuring modrdn plugin
  [12/36]: enabling entryUSN plugin
  [13/36]: configuring lockout plugin
  [14/36]: creating indices
  [15/36]: enabling referential integrity plugin
  [16/36]: configuring ssl for ds instance
  [17/36]: configuring certmap.conf
  [18/36]: configure autobind for root
  [19/36]: configure new location for managed entries
  [20/36]: restarting directory server
  [21/36]: adding default layout
  [22/36]: adding delegation layout
  [23/36]: adding replication acis
  [24/36]: creating container for managed entries
  [25/36]: configuring user private groups
  [26/36]: configuring netgroups from hostgroups
  [27/36]: creating default Sudo bind user
  [28/36]: creating default Auto Member layout
  [29/36]: adding range check plugin
  [30/36]: creating default HBAC rule allow_all
  [31/36]: initializing group membership
  [32/36]: adding master entry
  [33/36]: configuring Posix uid/gid generation
  [34/36]: enabling compatibility plugin
  [35/36]: tuning directory server
  [36/36]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
done configuring ipa_memcached.
Configuring the web interface: Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
--2012-10-05 10:35:43--  https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-05 10:35:43 ERROR 403: Forbidden.

# ll -d /var/lib/pki-ca/
drwxrwx---. 11 pkiuser pkiuser 4096 Oct  5 10:21 /var/lib/pki-ca/

# chmod o+x /var/lib/pki-ca/
# wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
--2012-10-05 10:35:56--  https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 414 [application/octet-stream]
Saving to: `MasterCRL.bin'

100%[==============================================================>] 414         --.-K/s   in 0s      

2012-10-05 10:35:56 (1.13 MB/s) - `MasterCRL.bin' saved [414/414]

Comment 1 Rob Crittenden 2012-10-12 17:06:21 EDT

Fixed upstream.

master: 74ebd0fd75fababe7d080080ef019b53e96c0c4f

ipa-3-0: 8debadb63aeb3916527fa28fa0f31436ca19774a

Comment 4 Varun Mylaraiah 2013-01-30 10:09:26 EST

Verified using ipa-server-3.0.0-24.el6.x86_64

[root@mvarun ~]# ipa-server-install -p Secret123 -a Secret123 --setup-dns --forwarder 10.16.255.2

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [mvarun64.testrelm.com]: 

Warning: skipping DNS resolution of host mvarun64.testrelm.com
The domain name has been determined based on the host name.

Please confirm the domain name [testrelm.com]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [TESTRELM.COM]: 
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [1.70.10.in-addr.arpa.]: 
Using reverse zone 1.70.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      mvarun64.testrelm.com
IP address:    10.70.1.181
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.16.255.2
Reverse zone:  1.70.10.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 31 minutes
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 31 minutes
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss password file
  [3/13]: enabling mod_nss renegotiate
  [4/13]: adding URL rewriting rules
  [5/13]: configuring httpd
  [6/13]: setting up ssl
  [7/13]: setting up browser autoconfig
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@mvarun ~]# 
[root@mvarun ~]# 
[root@mvarun ~]# ll -d /var/lib/pki-ca/
drwxrwx---. 10 pkiuser pkiuser 4096 Jan 30 20:26 /var/lib/pki-ca/
[root@mvarun ~]# 
[root@mvarun ~]# 
[root@mvarun ~]# 
[root@mvarun ~]# wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
--2013-01-30 20:39:34--  https://mvarun64.testrelm.com/ipa/crl/MasterCRL.bin
Resolving mvarun64.testrelm.com... 10.70.1.181
Connecting to mvarun64.testrelm.com|10.70.1.181|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 403 [application/octet-stream]
Saving to: \u201cMasterCRL.bin\u201d

100%[=============================================================================================================>] 403         --.-K/s   in 0.001s  

2013-01-30 20:39:34 (484 KB/s) - \u201cMasterCRL.bin\u201d saved [403/403]

Comment 6 errata-xmlrpc 2013-02-21 04:27:59 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.