Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1360813 - ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
Summary: ipa-server-certinstall does not update all certificate stores and doesn't set...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
Depends On:
Blocks: 1389348
TreeView+ depends on / blocked
 
Reported: 2016-07-27 14:26 UTC by Thorsten Scherf
Modified: 2017-08-01 09:39 UTC (History)
10 users (show)

Fixed In Version: ipa-4.4.0-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1389348 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:39:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Thorsten Scherf 2016-07-27 14:26:28 UTC
Description of problem:

The tool ipa-server-certinstall can be used to install 3rd party certificates for the IPA embedded httpd and ldap service. 

The usage is outlined on this page (I already filed BZ #1360217 to get a proper description into our IdM guide):

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Here it says:

"""
The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate. 
"""

I recently encountered two issues when a PKCS#12 file is imported which has a new CA certificate chain included, which is not already known to IPA:

1) The certificate from the PKCS#12 file are imported into the NSS DB of the service for which the certificate is for (httpd and/or ldap) and the trust flag is properly set for the new service certificate, but trust flags for the CA certificates which are also part of the PKCS#12 file are not set at all. A manual change using certutil was required.  

2) While the CA certificates from the PKCS#12 file are imported into the NSS DB of the http and/or ldap service, they are not imported into the tomcat-pki NSS DB. As a result, tomcat fails to start when the ldap certificate has been replaces and when it's signed by a CA which is not known to IPA. I would expect that ipa-server-certinstall also updates this NSS DB. A manual import of the CA certificates fixed the issue.

I found an old ticket which talks about the same issue and which has been closed as FIXED, but I can still see the issues I outlined above in latest RHEL-7.2 ipa package:
 
https://fedorahosted.org/freeipa/ticket/3862


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.17

How reproducible:
Create a new CSR for IPA httpd and have it signed by a CA which is not known to IPA. Create a PKCS#12 file with the new certificate/key and add the full CA certificate chain to the PKCS#12 file. Then import the file using ipa-server-certinstall.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Petr Vobornik 2016-08-26 08:51:34 UTC
The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug 1349024 Not sure if the root cause is the same for 7.2.

In IPA 4.4  ipa-server-certinstall received following fixes:
- https://fedorahosted.org/freeipa/ticket/4785
- https://fedorahosted.org/freeipa/ticket/4786

Comment 2 Petr Vobornik 2016-08-26 11:25:10 UTC
The first part may be handled by first running `ipa-cacert-manage install` utility.

This bz should be used for extending `ipa-server-certinstall` to do just that.

Comment 4 Petr Vobornik 2016-08-26 11:34:16 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6263

Comment 5 Thorsten Scherf 2016-08-26 11:38:29 UTC
>The first part may be handled by first running `ipa-cacert-manage install` >utility.

The documentation [1] suggests that the tool ipa-server-certinstall takes care abour importing CA certificates which are unknown to IPA as long as you provide the full certificate chain in a PKCS#12 file.

[1] https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

"""The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate."""

>The second issue, at least on RHEL 7.3/Fedora is caused by: bug 1366915 / bug >1349024 Not sure if the root cause is the same for 7.2.

This is even a different problem where the SELinux policy prevents the renewal of the CA subsystem certs. The issue I reported in 2) is about the CA certificate (from the PKCS#12 file) import into the Tomcat NSS DB. I do not see how any of the patches you mentioned, will fix this issue.

Comment 11 Jan Cholasta 2016-09-19 05:56:01 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0c4a91348a57ee941db94b31f59952eb1fcd4565

Comment 18 Florence Blanc-Renaud 2016-11-16 07:30:22 UTC
Hi Thorsten,
thanks for providing the procedure. I updated the upstream wiki with your instructions.

Comment 22 Michal Reznik 2017-05-17 14:04:24 UTC
Verified on:

ipa-server-4.5.0-9.el7.x86_64
pki-ca-10.4.1-3.el7.noarch


1. Install ipa-server

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U

2. Try ipa-server-certinstall without known CA

[root@master ~]# ipa-server-certinstall -d -w server.p12
Directory Manager password: 

Enter private key unlock password: 

Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.

3. Install CA certificate

[root@master ~]# ipa-cacert-manage -p XXX -n ca1 -t C,, install ca1.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

[root@master ~]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@master ~]#

[root@master ~]# ipa-certupdate
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json'
Forwarding 'ca_find/1' to json server 'https://master.testrelm.test/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


4. Install the certificates

[root@master ~]# ipa-server-certinstall -d -w server.p12
Directory Manager password: 

Enter private key unlock password: 

The ipa-server-certinstall command was successful


5. Restart the services

[root@master ~]# systemctl restart httpd.service
[root@master ~]# systemctl restart dirsrv@TESTRELM-TEST.service
[root@master ~]# 


6. Check trust attributes

[root@master ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                              u,u,u
TESTRELM.TEST IPA CA                      CT,C,C

[root@master ~]# certutil -L -d /etc/dirsrv/slapd-TESTRELM-TEST/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                              u,u,u
TESTRELM.TEST IPA CA                      CT,C,C

[root@master ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
ca1                                                                            C,,  
Server-Cert cert-pki-ca                                            u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                      CTu,Cu,Cu

[root@master ~]# certutil -L -d /etc/ipa/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
TESTRELM.TEST IPA CA                                         CT,C,C

Comment 23 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.