#6817 4.5 replica install fails against <4.5 master due to rejected PKINIT cert request
Closed: fixed 6 years ago Opened 7 years ago by mbabinsk.

When installing replica on older master,

...
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/2]: installing X509 Certificate for PKINIT
  [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_REJECTED)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

This is due to the changes in cert plugin which allow to issue certificates also for krbtgt/ principal which is not located in cn=services,cn=accounts,$SUFFIX subtree. However, this change was introduced in 4.5, so older masters still reject the PKINIT certificate request despite having access to PKINIT certificate profiles (see HTTP error log on master):

Mon Mar 27 11:17:19.974948 2017] [wsgi:error] [pid 20044] ipa: INFO: [xmlserver] host/replica1.ipa.test@IPA.TEST: cert_request(u'MIIDjjCCAnYCAQAwLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMTEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jJf1KiQE3gx++f9EWE9scgWEqwkuP/m8s2u1/2l0OpQNrcA4S/d58bc5tu2dOB5KNfdadJb7ZBKGelnks/AWngQ5S6xQDhK+uBJbBi/bO/5BpiDhwntkC3CxW3Jn3uBkcYE0ENol7v1Ed1W2uihUKyOpytW6vW6zqdr1noi6JWn2oAtC02zXcwnfeVEUG0gH9/wL35wgPACpiCQy+CgfGmPwKsZNH4fb7n2DBFCU+kXwNcElKZII5X7xC3TI8CKdfPkdIG3MYIJDBmM6p0SvKs61JQWgZQdwRXADZwtOlgTg/mPqXaZKKFtzhEK5RZm4UAsDFUOxuQM5KtgE2am7wIDAQABoIIBGDArBgkqhkiG9w0BCRQxHh4cADIAMAAxADcAMAAzADIANwAxADEAMQA3ADEAOTCB6AYJKoZIhvcNAQkOMYHaMIHXMG8GA1UdEQEBAARlMGOgKAYKKwYBBAGCNxQCA6AaDBhrcmJ0Z3QvSVBBLlRFU1RASVBBLlRFU1SgNwYGKwYBBQICoC0wK6AKGwhJUEEuVEVTVKEdMBugAwIBAaEUMBIbBmtyYnRndBsISVBBLlRFU1QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUUjmPqdaPbYTC8Mk5TKlbImNIfSowNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAHrPIF4fsNC+J2Xy2Kr3IVMxmWW8j0ms/Ite31GQWIsZzVgnERDXKH0duj69GZUFVh9Dba9tgEPPypKIHgFPRbIBVcYtXA/ENO/CNZEvxU2cS8uXQcmlweau5p0LvVqrxpAtl+x8hGnoZc4W4sHpaE1y+2wiVaBC5/sybGYvNulrfGsck2SMbZFDoFBL34SAOxHoDX3gEOD7URoUP/8ATNBxW7LD9zyTUWdGpOL8w7JAPx9dHpyz6UXRFeIcQcLxdtoycmJlJSbuF59K20NlIK2NPEZDJK64dZM6AEtCUU27rt7dj9Zd6rF5uCkcfIPcEITtVnsQ1we/ZMLvRzvVT64=', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/IPA.TEST@IPA.TEST', add=True, version=u'2.51'): ACIError
[Mon Mar 27 11:17:19.975001 2017] [wsgi:error] [pid 20044] ipa: DEBUG: response: ACIError: Insufficient access: Principal 'krbtgt/IPA.TEST@IPA.TEST' is not permitted to use CA 'ipa' with profile 'KDCs_PKINIT_Certs' for certificate issuance.

Metadata Update from @mbabinsk:
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: regression

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker

6 years ago

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk

6 years ago

master:

b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set ipaConfigString values on service entry
fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three PKINIT variants when deploying KDC
86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT status and publishing it in LDAP
3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch armor ccache
68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and purge all references of it
2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring password requests
a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT depending on the master status
960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after install/upgrade

ipa-4-5:

31a24436592304db6e84270e4a95df34d1e0af46 separate function to set ipaConfigString values on service entry
b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three PKINIT variants when deploying KDC
a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT status and publishing it in LDAP
fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch armor ccache
9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and purge all references of it
5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring password requests
2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT depending on the master status
d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after install/upgrade

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata