910900 – [RFE] Support of CA-Less Installations

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 910900 - [RFE] Support of CA-Less Installations

Summary: [RFE] Support of CA-Less Installations

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-13 20:06 UTC by Namita Soman
Modified:	2018-12-04 15:02 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-3.2.1-1.el7
Doc Type:	Enhancement
Doc Text:	Feature: Add support for CA-less installation Reason: Some deployments prefer IPA not to have its on CA but rather use certs provided by a different CA. Result (if any): IPA now supports installing without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers. In this case, the administrator is responsible for issuing and rotating service and host certificates manually.
Clone Of:
Environment:
Last Closed:	2014-06-13 09:54:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
automtion log file (21.98 KB, text/plain) 2013-12-30 09:16 UTC, Kaleem	no flags	Details
View All

Description Namita Soman 2013-02-13 20:06:58 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3363

Apparently when using --http_pkcs12, the /etc/httpd/alias NSS db first gets installed with the IPA CA and ipaCert, Signing-Cert, and Server-Cert, then gets replaced with the contents of the passed in pkcs12 file.  This leads to problems with connecting to the PKI-CA when running ipa-replica-prepare:

 Creating SSL certificate for the dogtag Directory Server
ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
 preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.

I think instead of starting over, the new certs should be added to the NSS db.

Comment 1 Martin Kosek 2013-02-21 08:49:50 UTC

During our Triage meeting we decided to drop this feature (and this flag), see:

https://fedorahosted.org/freeipa/ticket/3151
https://fedorahosted.org/freeipa/ticket/3363

Closing as WONTFIX.

Comment 2 Orion Poplawski 2013-03-22 16:38:09 UTC

Upstream ticket has been reopened, should this one be too?

Comment 3 Rob Crittenden 2013-03-22 16:58:43 UTC

We are going to try to fix installation with PKCS#12 certificates but no guarantee that this is not going to overwrite existing databases.

There is no good programmatic way to know that there won't be a conflict.

IPA assumes, for good or bad, that the system is going to be dedicated to IPA, or at least that IPA is installed first.

Comment 4 Martin Kosek 2013-04-02 13:37:08 UTC

Fixed upstream:

40b4faa6d71c00ef06ea5c75da820c7e2b720e4a Web UI: Disable cert functionality if a CA is not available
67c7bd3060461f0050640aca682da155e667875b ipa-client-install: Do not request host certificate if server is CA-less
a4b88cad110c951d8800ae217971b3a1f101df4c Do not call cert-* commands in host plugin if a RA is not available
1bc892c02daf5e6295ac2e59f17499f6f168b899 Load the CA cert into server NSS databases
03a2c66eda695ad2d4bfe675fa2902035e6b37f0 Support installing with custom SSL certs, without a CA
a03aba5704036e375fab36ed2b7cbbc31adf5411 dsinstance, httpinstance: Don't hardcode 'Server-Cert'
ac06a28cf96cd8b685129fa370cbd317b2c31e7c Trust CAs from PKCS#12 files even if they don't have Friendly Names
1e86378d491ac2dcb01fb3ac0da720df2bff5873 ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper
5fd68e3f9d103308fcdd31978bceee7b0d53eb19 Remove unused ipapython.certdb.CertDB class
34aa4901412a1a73c8594b33e367c81af0305b97 ipa-server-install: Remove the --selfsign option
9c215b61acb939eab16a871b3ef06d116c6540e8 ipa-server-install: Make temporary pin files available for the whole installation

Comment 7 Kaleem 2013-12-30 09:16:05 UTC

Verified.

IPA version:
=============
-------[RPMs & OS: [RHEL-7.0-20131222.0 - x86_64]-------------------
|       ipa-admintools-3.3.3-6.el7.x86_64
|       ipa-client-3.3.3-6.el7.x86_64
|       ipa-server-3.3.3-6.el7.x86_64
|       sssd-ipa-1.11.2-15.el7.x86_64
--------------------------------------------------------------------

Every test case passed except revoked certificate related ones.

Please find the attached automation_log.txt file for details of test cases and their results.

Comment 8 Kaleem 2013-12-30 09:16:54 UTC

Created attachment 843326 [details]
automtion log file

Comment 11 Ludek Smid 2014-06-13 09:54:11 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.