When installing PKINIT cert in CA-less installation and using the --pkinit-cert-file option, the installation always fails.
--pkinit-cert-file
The reason the installation fails is that we require full chain in the .p12 file that's fed to the above option. The file gets correctly exported to a PEM bundle in '/var/kerberos/krb5kdc/kdc.crt' but it will contain multiple certificates. OpenSSL does not know how to deal with this, it assumes there's only one certificate in the PEM file. If the first certificate is a CA cert, that will cause the installation to crash as it will be unable to test anonymous pkinit.
.p12
Indeed, kinit -n gives:
kinit -n
... [48537] 1492084647.997132: Preauth module pkinit (147) (info) returned: 0/Success [48537] 1492084647.997365: PKINIT OpenSSL error: Failed to verify CMS message [48537] 1492084647.997387: PKINIT OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [48537] 1492084647.997394: PKINIT OpenSSL error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [48537] 1492084647.997403: PKINIT OpenSSL error: error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure [48537] 1492084647.997427: PKINIT client could not verify DH reply [48537] 1492084647.997437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: block type is not 01 kinit: Invalid signature while getting initial credentials
Metadata Update from @stlaz: - Issue tagged with: bug
Metadata Update from @jcholast: - Issue assigned to jcholast
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1444432
Issue linked to bug 1444432
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.1
master:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.