Thanks to Dogtag update to their export of the admin certificate to a PKCS12 file (/root/cacert.p12 in our case), ipa-replica-install --setup-kra is broken on domain level 0.
/root/cacert.p12
ipa-replica-install --setup-kra
More information about the Dogtag change is to be found at https://bugzilla.redhat.com/show_bug.cgi?id=1426754
Metadata Update from @stlaz: - Issue priority set to: critical - Issue tagged with: regression
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1486225
Issue linked to bug 1486225
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.4
Metadata Update from @fbarreto: - Issue assigned to fbarreto
More details are needed. I was not able to reproduce this on RHEL 7,4. with ipa-server-4.5.0-21.el7_4.1.2.x86_64
I was able to reproduce it on fedora 26, with
$ ipa --version VERSION: 4.5.3, API_VERSION: 2.228
pk12util is returning error 19
Can you attach the replica install log with the details?
<img alt="ipaserver-kra-install.log" src="/freeipa/issue/raw/files/76cf7c128e27e5814318acb52f13f2b97af40cec1c7ea33c1e2e63e650e881d0-ipaserver-kra-install.log" />
I imagine that this is reproducible with a basic IPA install with a dogtag CA.
The relevant error is:
args=/usr/bin/pk12util -d /tmp/tmpGSehAN -i /tmp/tmpbZHlfPipa/realm_info/cacert.p12 -k /tmp/tmpGSehAN/pwdfile.txt -v -w /tmp/tmpvYcyVB Process finished, return code=19 stdout= stderr=pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting to import private key.
This is easy enough to confirm on the command-line with pk12util.
OpenSSL has issues with the file as well:
$ openssl pkcs12 -in ../cacert.p12 -out file.pem -nodes Enter Import Password: MAC verified OK Error outputting keys and certificates 140027567490936:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:592: 140027567490936:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108: 140027567490936:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
I'll run this past Fraser to see what he thinks.
Yeah, I probably caused this somehow. Actually my head is in NSS/JSS PKCS #12 space right now so I'll look at it today.
@rcritten can you please attach (or email) the problematic p12 file along with the passphrase?
@ftweedal the problematic file is /root/cacert.p12 which is created during pkispawn run, encrypted by the DM password.
pkispawn
My spidey sense is tingling. I think this may be a regression in NSS.
Sigh... yes it is caused by a change in NSS 3.31. They changed how the passphrase gets processed. The result is that PKCS #12 files created on earlier versions of NSS, and PKCS #12 files created by other tools or by other means than the one that was modified, cannot be imported by the ImportEncryptedPrivKeyInfo subroutine in NSS >= 3.31.
The change was (it seems) motivated by NSS having behaviour that was inconsistent with OpenSSL (albeit around a somewhat ambiguous part of the PKCS #12 spec).
I'll start a dialog with the appropriate folks to work out a way forward.
This is the NSS upstream BZ: https://bugzilla.mozilla.org/show_bug.cgi?id=1353325 for the change that introduced this issue.
I contacted NSS developers; awaiting response.
Metadata Update from @ftweedal: - Issue assigned to ftweedal (was: fbarreto)
The PKCS #12 issues have been addressed in Dogtag, JSS and NSS.
Getting PKCS #12 import working uncovered other failures which are addressed in PR https://github.com/freeipa/freeipa/pull/1138.
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
All of the issues (NSS PKCS #12 regression, Dogtag PKCS #12 regression, Dogtag security domain login replication race) have been addressed in their respective projects. Now there is apparently another problem: https://bugzilla.redhat.com/show_bug.cgi?id=1486225#c19. So let's leave this open a little while longer until that is worked out.
Look like all of the problems have been resolved. https://bugzilla.redhat.com/show_bug.cgi?id=1486225 is now marked VERIFIED. There were no code changes in FreeIPA itself in relation to this, other than to bump dependencies (which was addressed as part of other tickets).
Therefore closing this.
Metadata Update from @ftweedal: - Issue close_status updated to: fixed
Login to comment on this ticket.