If there are multiple versions of the same certificate (e.g. before and after renewal) coming from the same or different sources (CA certificates installed in IPA, user-provided certificates, etc.), some installers may fail with NSS error. This has been observed for ipa-replica-prepare (link), but other installers are affected as well:
ipa-replica-prepare
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 276, in ask_for_options options.http_cert_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 176, in load_pkcs12 host_name=self.replica_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 785, in load_pkcs12 nss_cert = x509.load_certificate(cert, x509.DER) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate return nss.Certificate(buffer(data)) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
This happens because we sometimes use certutil -L -n -r to get a DER-encoded certificate from a NSS database, and when there are multiple versions of that certificate, certutil returns the corresponding DER blobs concatenated, which other components are then unable to parse.
certutil -L -n -r
certutil
The same issue has been observed in CA-less install of FreeIPA 4.2 (Centos 7.2).
related #5117
ipa-4-2:
ipa-4-3:
master:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1321092
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.