#6981 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
Closed: fixed 7 years ago Opened 7 years ago by mbabinsk.

FreeIPA 4.5.1 enables OCSP checks in mod_nss configuration upon install/upgrade in order to improve security in authentication via client certificates ( e.g. smart cards).

While this works well when FreeIPA servers manage DNS infrastructure, it breaks down in the case that DNS is not managed in IPA and ipa-ca records are not added to the DNS servers. This leads to unresolvable OCSP endpoint (ipa-ca.$DOMAIN) that breaks authentication using client certificates since the certificate validity checks fail during handshake:

[pid 21751] Bad remote server certificate: -8071
 [Thu May 25 02:44:27.608751 2017] [:error] [pid 21751] SSL Library Error: -8071 The OCSP server experienced an      internal error
 [Thu May 25 02:44:27.608882 2017] [:error] [pid 21751] Re-negotiation handshake failed: Not accepted by client!

Since the RA agent authenticates via client certificate when issuing server certs, all operations requesting server certificates (including replica install, see below) fail:

in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update in progress, 4 seconds elapsed
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Update succeeded
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
[2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [28/40]: adding sasl mappings to the directory
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [29/40]: updating schema
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [30/40]: setting Auto Member configuration
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [31/40]: enabling S4U2Proxy delegation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [32/40]: initializing group membership
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [33/40]: adding master entry
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [34/40]: initializing domain level
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [35/40]: configuring Posix uid/gid generation
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [36/40]: adding replication acis
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [37/40]: activating sidgen plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [38/40]: activating extdom plugin
[2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [39/40]: tuning directory server
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [40/40]: configuring directory to start on boot
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring directory server (dirsrv).
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring Kerberos KDC (krb5kdc)
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/5]: configuring KDC
[2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/5]: adding the password extension to the directory
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [3/5]: creating anonymous principal
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [4/5]: starting the KDC
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [5/5]: configuring KDC to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring Kerberos KDC (krb5kdc).
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring kadmin
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/2]: starting kadmin 
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [2/2]: configuring kadmin to start on boot
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring kadmin.
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring directory server (dirsrv)
[2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [1/3]: configuring TLS for DS instance
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>:   [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Run /usr/sbin/ipa-server-install --uninstall to clean up.
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: 
ipa: ERROR: Exit code: 1
[2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <ERROR>: Exit code: 1

We need to ensure that OCSP is enabled in an environment that supports the setup, ideally with a manual intervention after making sure ipa-ca records are resolvable.


Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk

7 years ago

@mbabinsk I think you need to include

NSSOCSPDefaultURL http://ipa-ca.testrelm.test/ca/ocsp

in nss.conf file. If I remove this directive from my conf file then it gives me same error.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455945

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455945

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue set to the milestone: FreeIPA 4.5.2

7 years ago

ipa-4-5:

master:

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata