FreeIPA 4.5.1 enables OCSP checks in mod_nss configuration upon install/upgrade in order to improve security in authentication via client certificates ( e.g. smart cards).
While this works well when FreeIPA servers manage DNS infrastructure, it breaks down in the case that DNS is not managed in IPA and ipa-ca records are not added to the DNS servers. This leads to unresolvable OCSP endpoint (ipa-ca.$DOMAIN) that breaks authentication using client certificates since the certificate validity checks fail during handshake:
[pid 21751] Bad remote server certificate: -8071 [Thu May 25 02:44:27.608751 2017] [:error] [pid 21751] SSL Library Error: -8071 The OCSP server experienced an internal error [Thu May 25 02:44:27.608882 2017] [:error] [pid 21751] Re-negotiation handshake failed: Not accepted by client!
Since the RA agent authenticates via client certificate when issuing server certs, all operations requesting server certificates (including replica install, see below) fail:
in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed Update in progress, 4 seconds elapsed [2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Update succeeded [2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [2017-05-25T12:21:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [28/40]: adding sasl mappings to the directory [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [29/40]: updating schema [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [30/40]: setting Auto Member configuration [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [31/40]: enabling S4U2Proxy delegation [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [32/40]: initializing group membership [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [33/40]: adding master entry [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [34/40]: initializing domain level [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [35/40]: configuring Posix uid/gid generation [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [36/40]: adding replication acis [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [37/40]: activating sidgen plugin [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [38/40]: activating extdom plugin [2017-05-25T12:21:19Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [39/40]: tuning directory server [2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [40/40]: configuring directory to start on boot [2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring directory server (dirsrv). [2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring Kerberos KDC (krb5kdc) [2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [1/5]: configuring KDC [2017-05-25T12:21:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [2/5]: adding the password extension to the directory [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [3/5]: creating anonymous principal [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [4/5]: starting the KDC [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [5/5]: configuring KDC to start on boot [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring Kerberos KDC (krb5kdc). [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring kadmin [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [1/2]: starting kadmin [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [2/2]: configuring kadmin to start on boot [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Done configuring kadmin. [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Configuring directory server (dirsrv) [2017-05-25T12:21:23Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [1/3]: configuring TLS for DS instance [2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) [2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) [2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: Run /usr/sbin/ipa-server-install --uninstall to clean up. [2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <DEBUG>: ipa: ERROR: Exit code: 1 [2017-05-25T12:21:29Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-075.cmd21] <ERROR>: Exit code: 1
We need to ensure that OCSP is enabled in an environment that supports the setup, ideally with a manual intervention after making sure ipa-ca records are resolvable.
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk
@mbabinsk I think you need to include
NSSOCSPDefaultURL http://ipa-ca.testrelm.test/ca/ocsp
in nss.conf file. If I remove this directive from my conf file then it gives me same error.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455945
Issue linked to bug 1455945
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.2
ipa-4-5:
master:
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.