#5720 Installers fail when there are multiple versions of the same certificate
Closed: Fixed None Opened 7 years ago by jcholast.

If there are multiple versions of the same certificate (e.g. before and after renewal) coming from the same or different sources (CA certificates installed in IPA, user-provided certificates, etc.), some installers may fail with NSS error. This has been observed for ipa-replica-prepare (link), but other installers are affected as well:

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
    self.ask_for_options()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 276, in ask_for_options
    options.http_cert_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 176, in load_pkcs12
    host_name=self.replica_fqdn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 785, in load_pkcs12
    nss_cert = x509.load_certificate(cert, x509.DER)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate
    return nss.Certificate(buffer(data))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure.

This happens because we sometimes use certutil -L -n -r to get a DER-encoded certificate from a NSS database, and when there are multiple versions of that certificate, certutil returns the corresponding DER blobs concatenated, which other components are then unable to parse.


The same issue has been observed in CA-less install of FreeIPA 4.2 (Centos 7.2).

ipa-4-2:

  • 00097c1 certdb: never use the -r option of certutil

ipa-4-3:

  • b7bf55e certdb: never use the -r option of certutil

master:

  • 54a5947 certdb: never use the -r option of certutil

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.4

6 years ago

Login to comment on this ticket.

Metadata