Issue #5117: ipa-replica-prepare results in (SEC_ERROR_LIBRARY_FAILURE) security library failure. - freeipa

freeipa

#5117 ipa-replica-prepare results in (SEC_ERROR_LIBRARY_FAILURE) security library failure.

Closed: Fixed None Opened 8 years ago by orion.

https://www.redhat.com/archives/freeipa-users/2015-July/msg00107.html

We are issued a wildcard cert for *.nwra.com from namecheap.com/COMODO SSL.
They issue us a cert and a certificate chain file that provides two certs to
chain back to:

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

This cert is in Firefox's certdb (and presumably other browsers) and so works.

FWIW - I don't seem to find this cert (or any AddTrust cert) in the openssl ca
certs in /etc/pki.

I am able to get the install to work with it by extracting the 'AddTrust External CA Root'
cert from firefox and then:

# openssl pkcs12 -export -in STAR_nwra_com.crt -inkey nwra.com.key -certfile
STAR_nwra_com.ca-bundle -out nwra.com.p12

(The ca-bundle is the one issued by namecheap with the two intermediate certs)

 # ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
/etc/ldap.secret` --root-ca-file=AddTrustExternalCARoot
--dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12
--http_pin=XXXXXX --idstart=8000

But then when I go to make a replica:

 # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
 Directory Manager (existing master) password:

 (SEC_ERROR_LIBRARY_FAILURE) security library failure.

Which looks like others are experiencing (with not resolution that I could
see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html

Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help.

ipa-server-4.1.0-18.sl7_1.3.x86_64

pvoborni commented 8 years ago

moving to Future releases, should be re-prioritized when a reproducer is available.

orion commented 8 years ago

I've be able to track it down to this line in ipalib/x509.py:

def load_certificate(data, datatype=PEM, dbdir=None):
    """
    Given a base64-encoded certificate, with or without the
    header/footer, return a request object.

    Returns a nss.Certificate type
    """
    if type(data) in (tuple, list):
        data = data[0]

    if (datatype == PEM):
        data = strip_header(data)
        data = base64.b64decode(data)

    if not nss.nss_is_initialized():
        if dbdir is None:
            if 'in_tree' in api.env:
                if api.env.in_tree:
                    dbdir = api.env.dot_ipa + os.sep + 'alias'
                else:
                    dbdir = paths.HTTPD_ALIAS_DIR
---->>          nss.nss_init(dbdir)
            else:
                nss.nss_init_nodb()
        else:
            nss.nss_init(dbdir)

    return nss.Certificate(buffer(data))

dbdir is set to /etc/httpd/alias.

Backtrace:

#0  PR_SetError (code=-8129, osErr=0) at ../../../nspr/pr/src/misc/prerror.c:24
#1  0x00007fffe5d36e5a in prng_instantiate (rng=rng@entry=0x7fffe5f9f620 <testContext>, 
    bytes=bytes@entry=0x29df410 "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A@\364\235\002", len=len@entry=32) at drbg.c:163
#2  0x00007fffe5d370f3 in PRNGTEST_Instantiate (
    entropy=entropy@entry=0x7fffe5d7d840 <entropy.6204> "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205Av\235mg", entropy_len=entropy_len@entry=32, 
    nonce=nonce@entry=0x0, nonce_len=nonce_len@entry=0, 
    personal_string=personal_string@entry=0x0, ps_len=ps_len@entry=0) at drbg.c:717
#3  0x00007fffe5d372d1 in PRNGTEST_RunHealthTests () at drbg.c:838
#4  0x00007fffe5d38f99 in freebl_fips_RNG_PowerUpSelfTest () at fipsfreebl.c:1512
#5  freebl_fipsPowerUpSelfTest (tests=3) at fipsfreebl.c:1567
#6  0x00007fffe5d26971 in bl_startup_tests () at fipsfreebl.c:1726
#7  0x00007ffff7dea503 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff7deeb44 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#9  0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#10 0x00007ffff7dee25b in _dl_open () from /lib64/ld-linux-x86-64.so.2
#11 0x00007ffff75f602b in dlopen_doit () from /lib64/libdl.so.2
#12 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#13 0x00007ffff75f662d in _dlerror_run () from /lib64/libdl.so.2
#14 0x00007ffff75f60c1 in dlopen@@GLIBC_2.2.5 () from /lib64/libdl.so.2
#15 0x00007fffeb3fdb2b in pr_LoadLibraryByPathname (flags=10, 
    name=0x29c67d0 "/lib64/libfreeblpriv3.so") at ../../../nspr/pr/src/linking/prlink.c:803
#16 PR_LoadLibraryWithFlags (libSpec=..., flags=flags@entry=10)
    at ../../../nspr/pr/src/linking/prlink.c:418
#17 0x00007fffe628093f in loader_LoadLibInReferenceDir (
    referencePath=referencePath@entry=0x2e129f0 "/lib64/libsoftokn3.so", 
    name=name@entry=0x7fffe6289278 "libfreeblpriv3.so") at genload.c:104
#18 0x00007fffe62809a3 in loader_LoadLibrary (nameToLoad=0x7fffe6289278 "libfreeblpriv3.so")
    at genload.c:135
#19 0x00007fffe6280a8d in freebl_LoadDSO () at loader.c:46
#20 0x00007fffeb403a1a in PR_CallOnce (once=once@entry=0x7fffe6493a30 <loadFreeBLOnce>, 
    func=func@entry=0x7fffe6280a80 <freebl_LoadDSO>) at ../../../nspr/pr/src/misc/prinit.c:775
#21 0x00007fffe6280b4f in freebl_RunLoaderOnce () at loader.c:80
#22 BL_Init () at loader.c:87
#23 0x00007fffe625b2fb in sftk_startup_tests () at fipstest.c:606
#24 0x00007ffff7dea503 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2
#25 0x00007ffff7deeb44 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#26 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#27 0x00007ffff7dee25b in _dl_open () from /lib64/ld-linux-x86-64.so.2
#28 0x00007ffff75f602b in dlopen_doit () from /lib64/libdl.so.2
#29 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#30 0x00007ffff75f662d in _dlerror_run () from /lib64/libdl.so.2
#31 0x00007ffff75f60c1 in dlopen@@GLIBC_2.2.5 () from /lib64/libdl.so.2
#32 0x00007fffeb3fdb2b in pr_LoadLibraryByPathname (flags=26, 
    name=0x11bb900 "/lib64/libsoftokn3.so") at ../../../nspr/pr/src/linking/prlink.c:803
#33 PR_LoadLibraryWithFlags (libSpec=..., flags=flags@entry=26)
    at ../../../nspr/pr/src/linking/prlink.c:418
#34 0x00007fffea83e25f in loader_LoadLibInReferenceDir (
    referencePath=referencePath@entry=0xd67540 "/lib64/libnss3.so", 
    name=name@entry=0x7fffeaf6fc73 "libsoftokn3.so") at secload.c:84
#35 0x00007fffea83e2bd in PORT_LoadLibraryFromOrigin (
    existingShLibName=existingShLibName@entry=0x7fffeaf6fc82 "libnss3.so", 
    staticShLibFunc=staticShLibFunc@entry=0x7fffeaeba7d0 <softoken_LoadDSO>, 
    newShLibName=newShLibName@entry=0x7fffeaf6fc73 "libsoftokn3.so") at secload.c:150
#36 0x00007fffeaeba7ee in softoken_LoadDSO () at pk11load.c:365
#37 0x00007fffeb403a1a in PR_CallOnce (once=once@entry=0x7fffeb1a7e40 <loadSoftokenOnce>, 
    func=func@entry=0x7fffeaeba7d0 <softoken_LoadDSO>) at ../../../nspr/pr/src/misc/prinit.c:775
#38 0x00007fffeaec23d7 in secmod_LoadPKCS11Module (mod=mod@entry=0x3381240, 
    oldModule=oldModule@entry=0x7fffffffcfb0) at pk11load.c:397
#39 0x00007fffeaecdddb in SECMOD_LoadModule (
    modulespec=modulespec@entry=0x1ade3b0 "name=\"NSS Internal Module\" parameters=\"configdir='/etc/httpd/alias' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updat"..., parent=parent@entry=0x0, 
    recurse=recurse@entry=1) at pk11pars.c:1014
#40 0x00007fffeae9d3ab in nss_InitModules (isContextInit=0, optimizeSpace=<optimized out>, 
    forceOpen=<optimized out>, noModDB=<optimized out>, noCertDB=<optimized out>, 
    readOnly=<optimized out>, pwRequired=<optimized out>, configStrings=<optimized out>, 
    configName=<optimized out>, updateName=<optimized out>, updateID=<optimized out>,
    updKeyPrefix=<optimized out>, updCertPrefix=<optimized out>, updateDir=0x7fffeaf6e0cd "",
    secmodName=<optimized out>, keyPrefix=0x7fffeaf6e0cd "", certPrefix=0x7fffeaf6e0cd "",
    configdir=<optimized out>) at nssinit.c:435
#41 nss_Init (configdir=<optimized out>, certPrefix=certPrefix@entry=0x7fffeaf6e0cd "",
    keyPrefix=keyPrefix@entry=0x7fffeaf6e0cd "",
    secmodName=secmodName@entry=0x7fffeaf6dbb5 "secmod.db",
    updateDir=updateDir@entry=0x7fffeaf6e0cd "",
    updCertPrefix=updCertPrefix@entry=0x7fffeaf6e0cd "",
    updKeyPrefix=updKeyPrefix@entry=0x7fffeaf6e0cd "",
    updateID=updateID@entry=0x7fffeaf6e0cd "", updateName=updateName@entry=0x7fffeaf6e0cd "",
    initContextPtr=initContextPtr@entry=0x0, initParams=initParams@entry=0x0,
    readOnly=readOnly@entry=1, noCertDB=noCertDB@entry=0, noModDB=noModDB@entry=0,
    forceOpen=forceOpen@entry=0, noRootInit=noRootInit@entry=0,
    optimizeSpace=optimizeSpace@entry=1,
    noSingleThreadedModules=noSingleThreadedModules@entry=0,
    allowAlreadyInitializedModules=allowAlreadyInitializedModules@entry=0,
    dontFinalizeModules=dontFinalizeModules@entry=0) at nssinit.c:639
#42 0x00007fffeae9db88 in NSS_Init (configdir=<optimized out>) at nssinit.c:748
#43 0x00007fffeb648225 in nss_nss_init (self=<optimized out>, args=<optimized out>)
    at src/py_nss.c:20534
#44 0x00007ffff7af5b74 in call_function (oparg=<optimized out>, pp_stack=0x7fffffffd2a0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4098
#45 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x18401c0, for file /usr/lib/python2.7/site-packages/ipalib/x509.py, line 114, in load_certificate (data='0\x82\x1b\xc9\x02\x01\x030\x82\x1b\x8f\x06\t*\x86H\x86\xf7\r\x01\x07\x01\xa0\x82\x1b\x80\x04\x82\x1b|0\x82\x1bx0\x82\x16/\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0\x82\x16 0\x82\x16\x1c\x02\x01\x000\x82\x16\x15\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1c\x06\n*\x86H\x86\xf7\r\x01\x0c\x01\x060\x0e\x04\x08\xc4\x97\x9b\xd2\x0b{\xb9\xdc\x02\x02\x08\x00\x80\x82\x15\xe8\xf9Ze\xfcZcV}\xe6\xe2`\xec64e\x1b\xe6\xfav\xc5\x0f\xee1\xbb\xad\xd9\x9dRG \x9b\x19\x8c\r\xa5\x1d\x96 \x89\xffq\x04\xdb\xfa\x84\xd1\x10\x9d\x05\x98\xe4kE\x8c\xf8\xe1\xc0Q\x87Tq\xf0\x99\xef\xf6\xd9J\xb7\x99^|\xec7X]T\xec\xe4\xf1!\x894$/v\xed\\\xda\x16!J\xc9\xa3\x1d\xca\xfc3.d\x1fcj\xc0\x84\x0e2X|\xe2\xe7A\xd5\xb1~P\xfe*\x8e\xed\x0e^_G\x1c\xe9R\xc00\xe7\x9e\x06\xe9\xd3x\x08\xed\x06)\xe9\xc3\xf0Rs\xddw\\.H\x88Ev@\x16\xec=\xa1_\x84\x9f\x07\xb6/\x08Si\xe5W\xd8\xba\xd1\x87\x9f}\x15\xf7U#\x18\xf5\xb0#\xce5l\xc0\xdbA\t\xd6G\x9e\xae\xfb@;\x04\xff\x1c,\x1a\x1...(truncated),
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740

Error is being thrown here in drbg.c:

static SECStatus
prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len)
{
    if (len < PRNG_SEEDLEN) {
        /* if the seedlen is to small, it's probably because we failed to get
         * enough random data */
--->>    PORT_SetError(SEC_ERROR_NEED_RANDOM);
        return SECFailure;
    }
    prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0);
    rng->V_type = prngCGenerateType;
    prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0);
    PRNG_RESET_RESEED_COUNT(rng)
    return SECSuccess;
}

So it looks like my VM doesn't have enough entropy. Looks like prng_instantiate is being called 2-3 times and there just isn't enough entropy:

Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 <theGlobalRng>,
bytes=bytes@entry=0x7fffffffc220 "\304(\336\350F8\375㨟\177\325\017+\302\230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263", len=110) at drbg.c:160
160 if (len < PRNG_SEEDLEN) {
1: len = 110
(gdb) c
Continuing.

Breakpoint 1, prng_instantiate (rng=rng@entry=0x7fffe5f9f620 <testContext>,
bytes=bytes@entry=0x2153b70 "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002", len=len@entry=32) at drbg.c:160
160 if (len < PRNG_SEEDLEN) {
1: len = 32

PRNG_SEEDLEN is 55 I think.

orion commented 8 years ago

I've tried running haveged to pump in some more entropy as well as a virtio-rng device, but this doesn't appear to help. Can we cut down on the number of calls to prng_instantiate?

orion commented 8 years ago

First call is in /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 765, in load_pkcs12 -> /usr/lib/python2.7/site-packages/ipapython/certdb.py, line 306, in import_files

Second and third is: file /usr/lib/python2.7/site-packages/ipalib/x509.py, line 113

mkosek commented 8 years ago

Moving back to Triage as new data appeared from orion.

mkosek commented 8 years ago

Honza or John, does that helps uncovering the root case?

I wonder if low entropy is really the case, given comment:4. Orion, maybe you can try to see the entropy before your call ($ cat /proc/sys/kernel/random/entropy_avail) and see if it is at least, say 300 what what the number does when you call ipa-replica-prepare.

orion commented 8 years ago

/proc/sys/kernel/random/entropy_avail seems to bounce around changing very rapidly between around 1100 and 2400. If I write it out before the python calls I get:

2230
nss_init(/etc/httpd/alias)
1974

orion commented 8 years ago

Sorry, the previous analysis was incorrect. I was breaking on the first couple PR_SetError() calls instead of the last. This is what looks like what's really breaking:

(gdb) bt
#0  CERT_DecodeDERCertificate (derSignedCert=derSignedCert@entry=0x7fffffffd0c0, 
    copyDER=copyDER@entry=1, nickname=nickname@entry=0x0) at certdb.c:865
#1  0x00007fffeaeec989 in nssDecodedPKIXCertificate_Create (arenaOpt=arenaOpt@entry=0x0, 
    encoding=encoding@entry=0x3d0fa98) at pki3hack.c:492
#2  0x00007fffeaeecfbb in stan_GetCERTCertificate (c=c@entry=0x3d0fa38, 
    forceUpdate=forceUpdate@entry=0) at pki3hack.c:865
#3  0x00007fffeaeed2b7 in STAN_GetCERTCertificate (c=c@entry=0x3d0fa38) at pki3hack.c:926
#4  0x00007fffeaee3c80 in CERT_NewTempCertificate (handle=handle@entry=0x35ced20, 
    derCert=0x7fffffffd2e0, nickname=nickname@entry=0x0, isperm=isperm@entry=0, 
    copyDER=copyDER@entry=1) at stanpcertdb.c:409
#5  0x00007fffeaedd964 in CERT_ImportCerts (certdb=certdb@entry=0x35ced20, 
    usage=usage@entry=certUsageUserCertImport, ncerts=ncerts@entry=1, 
    derCerts=derCerts@entry=0x7fffffffd2c0, retCerts=retCerts@entry=0x7fffffffd2c8, 
    keepCerts=keepCerts@entry=0, caOnly=caOnly@entry=0, nickname=0x0) at certdb.c:2457
#6  0x00007fffeb63e927 in Certificate_init (self=0x7ffff7f6bed0, args=<optimized out>, 
    kwds=<optimized out>) at src/py_nss.c:9986
#7  0x00007ffff7ab4e5f in type_call (type=<optimized out>, 
    args=(<buffer at remote 0x1c27730>,), kwds=0x0)
    at /usr/src/debug/Python-2.7.5/Objects/typeobject.c:745
#8  0x00007ffff7a5f073 in PyObject_Call (func=func@entry=<type at remote 0x7fffeb89cfe0>, 
    arg=arg@entry=(<buffer at remote 0x1c27730>,), kw=kw@entry=0x0)
    at /usr/src/debug/Python-2.7.5/Objects/abstract.c:2529
#9  0x00007ffff7af332c in do_call (nk=<optimized out>, na=1, pp_stack=0x7fffffffd4a0, 
    func=<type at remote 0x7fffeb89cfe0>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4316
#10 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd4a0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4121
#11 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x1841510, for file /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate (data='0\x82\x05\xd80\x82\x03\xc0\xa0\x03\x02\x01\x02\x02\x10L\xaa\xf9\xca\xdbco\xe0\x1f\xf7N\xd8[\x03\x86\x9d0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0c\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\n\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO RSA Certification Authority0\x1e\x17\r100119000000Z\x17\r380118235959Z0\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\n\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO RSA Certification Authority0\x82\x02"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\n\x02\x82\x02\x01\x00\x91\xe8T\x92\xd2\nV\xb1\xac\r$\xdd\xc5\xcfDgt\x99+7\xa3}#p\x00q\xbcS\xdf\xc4\xfa*\x12\x8fK\x7f\x10V\xbd\x9fpr\xb7a\x...(truncated), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#12 0x00007ffff7af718d in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, 
    locals=locals@entry=0x0, args=<optimized out>, argcount=argcount@entry=2, kws=0x1ca4268, 
    kwcount=0, defs=0xef5728, defcount=2, closure=closure@entry=0x0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330
#13 0x00007ffff7af583f in fast_function (nk=<optimized out>, na=2, n=2, 
    pp_stack=0x7fffffffd6a0, func=<function at remote 0xfbc050>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4194
#14 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd6a0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#15 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x1ca4020, for file /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 789, in load_pkcs12 (cert_files=['nwra.com.p12'], key_password='ipa', key_nickname='*.nwra.com - COMODO CA Limited', ca_cert_files=['/etc/ipa/ca.crt'], host_name='ipa1.nwra.com', nssdb=<NSSDatabase(secdir='/tmp/tmpHGu6GT', _is_temporary=True) at remote 0x1b0f490>, db_password='(S%8n"[5{-((', db_pwdfile=<_TemporaryFileWrapper(name='/tmp/tmpu6bnS7', write=<built-in method write of file object at remote 0x2cabc00>, file=<file at remote 0x2cabc00>, flush=<built-in method flush of file object at remote 0x2cabc00>, close_called=False, delete=True) at remote 0x3561f38>, nickname='COMODO RSA Certification Authority - AddTrust AB', trust_flags=',,', trust_chain=['*.nwra.com - COMODO CA Limited', 'COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited', 'COMODO RSA Certification Authority - AddTrust AB'], ca_cert='0\x82\x06\x080\x82\x03\xf0\xa0\x03\x02\x01\x02\x02\x10+.n\xea\xd9u6l\x14\x8an\xdb\xa3|\x8c\x070\r\...(truncated), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#16 0x00007ffff7af718d in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, 
    locals=locals@entry=0x0, args=<optimized out>, argcount=argcount@entry=0, kws=0x3387210, 
    kwcount=5, defs=0x0, defcount=0, closure=closure@entry=0x0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330
#17 0x00007ffff7af583f in fast_function (nk=<optimized out>, na=0, n=10, 
    pp_stack=0x7fffffffd8a0, func=<function at remote 0x10e8938>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4194
#18 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd8a0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#19 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x3387070, for file /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 162, in load_pkcs12 (self=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0x905150>, handlers=[<StreamHandler(stream=<file at remote 0x7ffff7fc61e0>, level=20, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__block=<thread.lock at remote 0x7ffff7f6cb10>, _RLock__count=0) at remote 0x1205750>, _name='console', filters=[], formatter=<Formatter(datefmt='%Y-%m-%dT%H:%M:%SZ', _fmt='%(message)s', converter=<built-in function gmtime>) at remote 0x1205790>) at remote 0x9056d0>], level=20, disabled=0, manager=<Manager(emittedNoHandlerWarning=0, disable=0, root=<...(truncated), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#20 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=4, n=4, 
    pp_stack=0x7fffffffda00, func=<function at remote 0x1210b90>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184
#21 call_function (oparg=<optimized out>, pp_stack=0x7fffffffda00)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#22 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x1c9fc80, for file /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 262, in ask_for_options (self=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0x905150>, handlers=[<StreamHandler(stream=<file at remote 0x7ffff7fc61e0>, level=20, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__block=<thread.lock at remote 0x7ffff7f6cb10>, _RLock__count=0) at remote 0x1205750>, _name='console', filters=[], formatter=<Formatter(datefmt='%Y-%m-%dT%H:%M:%SZ', _fmt='%(message)s', converter=<built-in function gmtime>) at remote 0x1205790>) at remote 0x9056d0>], level=20, disabled=0, manager=<Manager(emittedNoHandlerWarning=0, disable=0, ro...(truncated), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#23 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=1, n=1, 
    pp_stack=0x7fffffffdb60, func=<function at remote 0x1210c08>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184
#24 call_function (oparg=<optimized out>, pp_stack=0x7fffffffdb60)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#25 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x11e9940, for file /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 169, in execute (self=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0x905150>, handlers=[<StreamHandler(stream=<file at remote 0x7ffff7fc61e0>, level=20, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__block=<thread.lock at remote 0x7ffff7f6cb10>, _RLock__count=0) at remote 0x1205750>, _name='console', filters=[], formatter=<Formatter(datefmt='%Y-%m-%dT%H:%M:%SZ', _fmt='%(message)s', converter=<built-in function gmtime>) at remote 0x1205790>) at remote 0x9056d0>], level=20, disabled=0, manager=<Manager(emittedNoHandlerWarning=0, disable=0, root=<...>, loggerDict={'ipa...(truncated), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#26 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=1, n=1, 
    pp_stack=0x7fffffffdcc0, func=<function at remote 0x10716e0>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184
#27 call_function (oparg=<optimized out>, pp_stack=0x7fffffffdcc0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#28 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x7ae590, for file /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 148, in main (cls=<type at remote 0x874070>, argv=['/usr/sbin/ipa-replica-prepare', 'ipa1.nwra.com', '--dirsrv_pkcs12=nwra.com.p12', '--dirsrv_pin=', '--http_pkcs12=nwra.com.p12', '--http_pin='], options=<Values(http_cert_files=['nwra.com.p12'], wait_for_dns=True, verbose=False, ip_addresses=[], setup_pkinit=False, http_pin='ipa', quiet=False, log_file=None, dirsrv_cert_name=None, http_cert_name=None, dirsrv_cert_files=['nwra.com.p12'], ca_file='/root/cacert.p12', no_reverse=False, dirsrv_pin='ipa', password=None, pkinit_pin=False, pkinit_cert_files=False, reverse_zones=[]) at remote 0x1213128>, args=['ipa1.nwra.com'], command_class=<type at remote 0x874070>, command=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=...(truncated), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#29 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=2, n=2, 
    pp_stack=0x7fffffffde20, func=<function at remote 0x1071578>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184
#30 call_function (oparg=<optimized out>, pp_stack=0x7fffffffde20)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#31 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x10eca70, for file /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 124, in run_cli (cls=<type at remote 0x874070>), throwflag=throwflag@entry=0)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#32 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=1, n=1, 
    pp_stack=0x7fffffffdf80, func=<function at remote 0x1071500>)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184
#33 call_function (oparg=<optimized out>, pp_stack=0x7fffffffdf80)
    at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119
#34 PyEval_EvalFrameEx (
    f=f@entry=Frame 0x6b8760, for file /usr/sbin/ipa-replica-prepare, line 23, in <module> (), 
    throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
#35 0x00007ffff7af718d in PyEval_EvalCodeEx (co=co@entry=0x7ffff7f2edb0, 
    globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, 
    locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, args=args@entry=0x0, argcount=argcount@entry=0, 
    kws=kws@entry=0x0, kwcount=kwcount@entry=0, defs=defs@entry=0x0, defcount=defcount@entry=0, 
    closure=closure@entry=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330
#36 0x00007ffff7af7292 in PyEval_EvalCode (co=co@entry=0x7ffff7f2edb0, 
    globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, 
    locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}) at /usr/src/debug/Python-2.7.5/Python/ceval.c:689
#37 0x00007ffff7b106cf in run_mod (mod=<optimized out>, 
    filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare", 
    globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, 
    locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, flags=flags@entry=0x7fffffffe1e0, arena=arena@entry=0x673c50)
    at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:1373
#38 0x00007ffff7b1188e in PyRun_FileExFlags (fp=fp@entry=0x6d1500, 
    filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare", 
    start=start@entry=257, 
    globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, 
    locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe1e0)
    at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:1359
#39 0x00007ffff7b12b19 in PyRun_SimpleFileExFlags (fp=fp@entry=0x6d1500,
    filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare",
    closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe1e0)
    at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:951
#40 0x00007ffff7b13033 in PyRun_AnyFileExFlags (fp=fp@entry=0x6d1500,
    filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare",
    closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe1e0)
    at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:755
#41 0x00007ffff7b23b1f in Py_Main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/Python-2.7.5/Modules/main.c:640
#42 0x00007ffff6d50af5 in __libc_start_main () from /lib64/libc.so.6
#43 0x0000000000400721 in _start ()

Step sequence is:

784         rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
(gdb) 
785                         &cert->derCert);
(gdb) 
784         rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
(gdb) 
787         if ( rv ) {
(gdb) 
862             PORT_FreeArena(arena, PR_FALSE);

So SEC_QuickDERDecodeItem is failing.

(gdb) print *arena
$20 = {first = {next = 0x0, base = 0, limit = 0, avail = 0}, current = 0x0, arenasize = 0,
  mask = 0}
(gdb) print *cert
$21 = {arena = 0x3b4b8a0, subjectName = 0x0, issuerName = 0x0, signatureWrap = {data = {
      type = siBuffer,
      data = 0x35c6b84 "0\202\003\300\240\003\002\001\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 964}, signatureAlgorithm = {
      algorithm = {type = siBuffer, data = 0x35c6f4c "*\206H\206\367\r\001\001\f\005",
        len = 9}, parameters = {type = siBuffer, data = 0x35c6f55 "\005", len = 2}},
    signature = {type = siBuffer, data = 0x35c6f5c "\n\361\325F\204\267\256Q\273l\262MA\024",
      len = 4096}}, derCert = {type = siBuffer,
    data = 0x35c6b80 "0\202\005\330\060\202\003\300\240\003\002\001\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 2900},
  derIssuer = {type = siBuffer,
    data = 0x35c6bae "0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\036\027\r100119000000Z\027\r380118235959Z0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Great"..., len = 136}, derSubject = {type = siBuffer,
    data = 0x35c6c56 "0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 136}, derPublicKey = {type = siBuffer,
    data = 0x35c6cde "0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 550},
  certKey = {type = siBuffer, data = 0x0, len = 0}, version = {type = siBuffer,
    data = 0x35c6b8c "\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 1}, serialNumber = {type = siBuffer,
    data = 0x35c6b8f "L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 16}, signature = {algorithm = {type = siBuffer,
      data = 0x35c6ba3 "*\206H\206\367\r\001\001\f\005", len = 9}, parameters = {
      type = siBuffer, data = 0x35c6bac "\005", len = 2}}, issuer = {arena = 0x0,
    rdns = 0x3d12290}, validity = {arena = 0x0, notBefore = {type = siUTCTime,
      data = 0x35c6c3a "100119000000Z\027\r380118235959Z0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 13},
    notAfter = {type = siUTCTime,
      data = 0x35c6c49 "380118235959Z0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 13}}, subject = {arena = 0x0,
    rdns = 0x3d12428}, subjectPublicKeyInfo = {arena = 0x0, algorithm = {algorithm = {
        type = siBuffer, data = 0x35c6ce6 "*\206H\206\367\r\001\001\001\005", len = 9},
      parameters = {type = siBuffer, data = 0x35c6cef "\005", len = 2}}, subjectPublicKey = {
      type = siBuffer, data = 0x35c6cf6 "0\202\002\n\002\202\002\001", len = 4208}},
  issuerID = {type = siBuffer, data = 0x0, len = 0}, subjectID = {type = siBuffer, data = 0x0,
    len = 0}, extensions = 0x3d125c0, emailAddr = 0x0, dbhandle = 0x0, subjectKeyID = {
    type = siBuffer, data = 0x0, len = 0}, keyIDGenerated = 0, keyUsage = 0, rawKeyUsage = 0,
  keyUsagePresent = 0, nsCertType = 0, keepSession = 0, timeOK = 0, domainOK = 0x0, isperm = 0,
  istemp = 0, nickname = 0x0, dbnickname = 0x0, nssCertificate = 0x0, trust = 0x0,
  referenceCount = 0, subjectList = 0x0, authKeyID = 0x0, isRoot = 0, options = {
    apointer = 0x0, bits = {hasUnsupportedCriticalExt = 0}}, series = 0, slot = 0x0,
  pkcs11ID = 0, ownSlot = 0}

orion commented 8 years ago

After getting my nss-util-debuginfo up to date, it looks like SEC_QuickDERDecodeItem is setting SEC_ERROR_EXTRA_INPUT - apparently because there is "extra" data at the end of the input buffer.

(gdb) print cert->derCert
$5 = {type = siBuffer,
  data = 0x3d0d150 "0\202\005\330\060\202\003\300\240\003\002\001\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 2900}

orion commented 8 years ago

This is the certificate it is choking on:

certutil -L -n 'COMODO RSA Certification Authority - AddTrust AB' -d /etc/ipa/nssdb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
        Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
        Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ
            k,O=AddTrust AB,C=SE"
        Validity:
            Not Before: Tue May 30 10:48:38 2000
            Not After : Sat May 30 10:48:38 2020
        Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L
            =Salford,ST=Greater Manchester,C=GB"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:44:67:
                    74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:c4:fa:2a:
                    12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:7f:c9:4b:0f:
                    17:a7:3d:e3:b0:04:61:ee:ff:11:97:c7:f4:86:3e:0a:
                    fa:3e:5c:f9:93:e6:34:7a:d9:14:6b:e7:9c:b3:85:a0:
                    82:7a:76:af:71:90:d7:ec:fd:0d:fa:9c:6c:fa:df:b0:
                    82:f4:14:7e:f9:be:c4:a6:2f:4f:7f:99:7f:b5:fc:67:
                    43:72:bd:0c:00:d6:89:eb:6b:2c:d3:ed:8f:98:1c:14:
                    ab:7e:e5:e3:6e:fc:d8:a8:e4:92:24:da:43:6b:62:b8:
                    55:fd:ea:c1:bc:6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:
                    99:f8:78:48:30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:
                    51:27:bc:67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:
                    1f:65:de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:
                    cc:81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c:
                    22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:3e:
                    99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:b6:5c:
                    af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:af:45:99:
                    e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:ff:49:58:be:
                    f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:f4:0b:3a:f9:e8:
                    43:42:1e:89:d8:84:cb:13:f1:d9:bb:e1:89:60:b8:8c:
                    28:56:ac:14:1d:9c:0a:e7:71:eb:cf:0e:dd:3d:a9:96:
                    a1:48:bd:3c:f7:af:b5:0d:22:4c:c0:11:81:ec:56:3b:
                    f6:d3:a2:e2:5b:b7:b2:04:22:52:95:80:93:69:e8:8e:
                    4c:65:f1:91:03:2d:70:74:02:ea:8b:67:15:29:69:52:
                    02:bb:d7:df:50:6a:55:46:bf:a0:a3:28:61:7f:70:d0:
                    c3:a2:aa:2c:21:aa:47:ce:28:9c:06:45:76:bf:82:18:
                    27:b4:d5:ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:
                    df:16:86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:
                    2e:5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7:
                    31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:98:
                    aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:e5:ed:
                    1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:e5:84:53
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0:
                24:cb:54:1a

            Name: Certificate Subject Key ID
            Data:
                bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec:
                d9:32:32:d4

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Policies
            Data:
                Policy Name: Certificate Policies AnyPolicy

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://crl.usertrust.com/AddTrustExternalCARoot.crl"

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ocsp.usertrust.com"

    Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
    Signature:
        64:bf:83:f1:5f:9a:85:d0:cd:b8:a1:29:57:0d:e8:5a:
        f7:d1:e9:3e:f2:76:04:6e:f1:52:70:bb:1e:3c:ff:4d:
        0d:74:6a:cc:81:82:25:d3:c3:a0:2a:5d:4c:f5:ba:8b:
        a1:6d:c4:54:09:75:c7:e3:27:0e:5d:84:79:37:40:13:
        77:f5:b4:ac:1c:d0:3b:ab:17:12:d6:ef:34:18:7e:2b:
        e9:79:d3:ab:57:45:0c:af:28:fa:d0:db:e5:50:95:88:
        bb:df:85:57:69:7d:92:d8:52:ca:73:81:bf:1c:f3:e6:
        b8:6e:66:11:05:b3:1e:94:2d:7f:91:95:92:59:f1:4c:
        ce:a3:91:71:4c:7c:47:0c:3b:0b:19:f6:a1:b1:6c:86:
        3e:5c:aa:c4:2e:82:cb:f9:07:96:ba:48:4d:90:f2:94:
        c8:a9:73:a2:eb:06:7b:23:9d:de:a2:f3:4d:55:9f:7a:
        61:45:98:18:68:c7:5e:40:6b:23:f5:79:7a:ef:8c:b5:
        6b:8b:b7:6f:46:f4:7b:f1:3d:4b:04:d8:93:80:59:5a:
        e0:41:24:1d:b2:8f:15:60:58:47:db:ef:6e:46:fd:15:
        f5:d9:5f:9a:b3:db:d8:b8:e4:40:b3:cd:97:39:ae:85:
        bb:1d:8e:bc:dc:87:9b:d1:a6:ef:f1:3b:6f:10:38:6f
    Fingerprint (SHA-256):
        4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA
    Fingerprint (SHA1):
        F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0

    Certificate Trust Flags:
        SSL Flags:
        Email Flags:
        Object Signing Flags:

orion commented 8 years ago

After some more debugging, it looks like ipa-replica-prepare is first opening the nwra.com.p12 file I give it, then also importing the /etc/ipa/ca.crt file which contains all three certs in the root chain. After it does this the nssdb has a duplicate entry for 'COMODO RSA Certification Authority - AddTrust AB':

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

AddTrust External CA Root - AddTrust AB                      ,,   
COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,,   
*.nwra.com                                                   u,u,u
COMODO RSA Certification Authority - AddTrust AB             ,,   
COMODO RSA Certification Authority - AddTrust AB             ,,

So then I tried an install with the pk12 file only containing the server cert and the root-ca-file containing all of the chain certs, but I still end up with duplicate certs after importing /etc/ipa/ca.crt:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,,   
*.nwra.com - COMODO CA Limited                               u,u,u
CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,,   
CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,,

orion commented 8 years ago

It looks like in ipapython/certdb.py:import_files() you first load the PEM entries directly from the file, AND added it to extracted_certs:

                        try:
                            x509.load_certificate(match.group(2))
                        except NSPRError as e:
                            if label != 'CERTIFICATE':
                                root_logger.warning(
                                    "Skipping certificate in %s at line %s: %s",
                                    filename, line, e)
                                continue
                        else:
                            extracted_certs += body + '\n'
                            loaded = True
                            continue

Then later call:

    nss_certs = x509.load_certificate_list(extracted_certs)

Which again loads all of the certs in ca.crt that were stuffed into extracted_certs. Why you are loading the certificates twice, and why this results it duplicate certs in the nssdb, I really don't know. But then when that certificate is extracted, it has two certs it in which I suspect is the trigger for the EXTRA_INFO error.

orion commented 8 years ago

No, not quite right. They aren't added to the nssdb until:

        for nss_cert in nss_certs:
            nickname = str(nss_cert.subject)
            sys.stderr.write('adding = <%s>\n' % nickname)
            self.add_cert(nss_cert.der_data, nickname, ',,')

Added debug line reveals:

adding = <CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB>
adding = <CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB>
adding = <CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB>

Subjects shouldn't be the same:

# certutil -L -n 'AddTrust External CA Root - AddTrust AB' -d tmpdb | grep -F Subject:
        Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo
# certutil -L -n 'COMODO RSA Certification Authority - AddTrust AB' -d tmpdb | grep -F Subject:
        Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L

orion commented 8 years ago

It looks like /etc/ipa/ca.crt is ending up with the duplicated/funny named certs somehow.

orion commented 8 years ago

If I run 'ipa-certupdate' it writes out a correct /etc/ipa/ca.crt file with the three root-CA chain certs. But whatever writes out the initial /etc/ipa/ca.crt file (can't figure that out) is creating a bad file.

pvoborni commented 8 years ago

Fixing #4322 and/or further refactoring is needed.

webrat commented 8 years ago

I experience the same issue on latest FreeIPA 4.2.0 on CentOS 7.2. Due this no replica can be created, which is pretty bad.
Is there any work around I missed in the comments above?

pvoborni commented 8 years ago

orion, do I understand comments 15 and 16 correctly that running ipa-certupdate on IPA server fixed your issue in a way that ipa-replica-prepare run correctly and so replica could be installed?

webrat commented 8 years ago

I can confirm that running ipa-certupdate helps and everything works fine then.

orion commented 8 years ago

Replying to [comment:20 pvoborni]:

orion, do I understand comments 15 and 16 correctly that running ipa-certupdate on IPA server fixed your issue in a way that ipa-replica-prepare run correctly and so replica could be installed?

Yes

spako commented 8 years ago

I've hit the same issue on FreeIPA 4.2/Centos 7.2.

mbasti commented 8 years ago

ipa-4-2:

00097c1 certdb: never use the -r option of certutil

ipa-4-3:

b7bf55e certdb: never use the -r option of certutil

master:

54a5947 certdb: never use the -r option of certutil

fixed together with #5720, moving to 4.2.4

Metadata Update from @orion:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.4

7 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.2.4

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

replica

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#5117 ipa-replica-prepare results in (SEC_ERROR_LIBRARY_FAILURE) security library failure. Closed: Fixed None Opened 8 years ago by orion.

Metadata

#5117 ipa-replica-prepare results in (SEC_ERROR_LIBRARY_FAILURE) security library failure.

Closed: Fixed None Opened 8 years ago by orion.