#7076 Adjust to CURL whichs started to use OpenSSL - ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
Closed: fixed 7 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1455561

Description of problem:
During ipa-server-install on Fedora 27, RA certificate can't be obtained from CA and the
installation fails with CA_UNREACHABLE error.


Version-Release number of selected component (if applicable):
freeipa-4.5.1-1.fc27


How reproducible:
deterministic


Steps to Reproduce:
1. ipa-server-install


Actual results:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: exporting Dogtag certificate store pin
  [3/29]: stopping certificate server instance to update CS.cfg
  [4/29]: backing up CS.cfg
  [5/29]: disabling nonces
  [6/29]: set up CRL publishing
  [7/29]: enable PKIX certificate path discovery and validation
  [8/29]: starting certificate server instance
  [9/29]: configure certmonger for renewals
  [10/29]: requesting RA certificate from CA
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Certificate issuance failed (CA_UNREACHABLE)


Expected results:
IPA server installs without errors.


Additional info:
$ journalctl -u certmonger
certmonger[26286]: 2017-05-25 14:21:16 [26286] Error 58 connecting to
https://vm.example.com:8443/ca/agent/ca//profileReview: Problem with the local
SSL certificate.

Investigation by Flo:
The CA helper dogtag-ipa-ca-renew-agent is using libcurl with a NSS db to provide the agent certificate, but in rawhide curl is built against OpenSSL instead of NSS. Because of this, the curl commands using a NSS db will fail:

$ curl -V
curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 OpenSSL/1.1.0f zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.23.1
Release-Date: 2017-06-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL 

In fedora 26, curl is built against NSS:

curl 7.53.1 (x86_64-redhat-linux-gnu) libcurl/7.53.1 NSS/3.29.3 zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.21.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink PSL

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455561

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455561

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker

7 years ago

master:

  • 9c1ab3c Pass ipa-ca-agent credentials as PEM files

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata