#7087 ipa-replica-install --setup-kra broken on DL0
Closed: fixed 2 years ago Opened 3 years ago by stlaz.

Thanks to Dogtag update to their export of the admin certificate to a PKCS12 file (/root/cacert.p12 in our case), ipa-replica-install --setup-kra is broken on domain level 0.

More information about the Dogtag change is to be found at https://bugzilla.redhat.com/show_bug.cgi?id=1426754

Metadata Update from @stlaz:
- Issue priority set to: critical
- Issue tagged with: regression

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1486225

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1486225

3 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.4

3 years ago

Metadata Update from @fbarreto:
- Issue assigned to fbarreto

3 years ago

More details are needed. I was not able to reproduce this on RHEL 7,4. with ipa-server-4.5.0-21.el7_4.1.2.x86_64

I was able to reproduce it on fedora 26, with

$ ipa --version
VERSION: 4.5.3, API_VERSION: 2.228

pk12util is returning error 19

Can you attach the replica install log with the details?

I imagine that this is reproducible with a basic IPA install with a dogtag CA.

The relevant error is:

args=/usr/bin/pk12util -d /tmp/tmpGSehAN -i /tmp/tmpbZHlfPipa/realm_info/cacert.p12 -k /tmp/tmpGSehAN/pwdfile.txt -v -w /tmp/tmpvYcyVB
Process finished, return code=19
stderr=pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

This is easy enough to confirm on the command-line with pk12util.

OpenSSL has issues with the file as well:

$ openssl pkcs12 -in ../cacert.p12 -out file.pem -nodes
Enter Import Password:
MAC verified OK
Error outputting keys and certificates
140027567490936:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:592:
140027567490936:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140027567490936:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:

I'll run this past Fraser to see what he thinks.

Yeah, I probably caused this somehow. Actually my head is in NSS/JSS PKCS #12 space right now
so I'll look at it today.

@rcritten can you please attach (or email) the problematic p12 file along with the passphrase?

@ftweedal the problematic file is /root/cacert.p12 which is created during pkispawn run, encrypted by the DM password.

My spidey sense is tingling. I think this may be a regression in NSS.

Sigh... yes it is caused by a change in NSS 3.31. They changed how the passphrase gets
processed. The result is that PKCS #12 files created on earlier versions of NSS, and PKCS #12 files created by other tools or by other means than the one that was modified, cannot be imported
by the ImportEncryptedPrivKeyInfo subroutine in NSS >= 3.31.

The change was (it seems) motivated by NSS having behaviour that was inconsistent with OpenSSL (albeit around a somewhat ambiguous part of the PKCS #12 spec).

I'll start a dialog with the appropriate folks to work out a way forward.

This is the NSS upstream BZ: https://bugzilla.mozilla.org/show_bug.cgi?id=1353325 for
the change that introduced this issue.

I contacted NSS developers; awaiting response.

Metadata Update from @ftweedal:
- Issue assigned to ftweedal (was: fbarreto)

3 years ago

The PKCS #12 issues have been addressed in Dogtag, JSS and NSS.

Getting PKCS #12 import working uncovered other failures which are
addressed in PR https://github.com/freeipa/freeipa/pull/1138.

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

3 years ago

All of the issues (NSS PKCS #12 regression, Dogtag PKCS #12 regression, Dogtag security domain login replication race) have been addressed in their respective projects. Now there is apparently another problem: https://bugzilla.redhat.com/show_bug.cgi?id=1486225#c19. So let's
leave this open a little while longer until that is worked out.

Look like all of the problems have been resolved.
https://bugzilla.redhat.com/show_bug.cgi?id=1486225 is now marked VERIFIED.
There were no code changes in FreeIPA itself in relation to this, other than to bump
dependencies (which was addressed as part of other tickets).

Therefore closing this.

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed

2 years ago

Login to comment on this ticket.

Attachments 1