A RHEL-7.3 IdM system was updated to RHEL-7.4, and there are reports of SSL errors:
failed update on "ipactl restart" with error "[SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1783)"
other related errors from httpd: "SSL Library Error: -8172 Certificate is signed by an untrusted issuer" "Bad remote server certificate: -8172"
The problem is CA certificate and SSL server certificate that have been used by RHEL-7.3 IdM before the RHEL-7.4 update are invalid:
A CA certificate has those extensions and signature algorithm: " Signed Extensions: Name: Certificate Type Data: <SSL CA,S/MIME CA,ObjectSigning CA>
Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Certificate Signing Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
"
And a HTTPD SSL server cert has those extensions and signature algorithm:
" Signed Extensions: Name: Certificate Type Data: <SSL Server>
Name: Certificate Key Usage Usages: Key Encipherment Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Both certs are invalid in PKI, and could NOT have been issued by Dogtag. The CA cert was probably generated by OpenSSL.
We should add requirements on any third party or non IPA Dogtag issued certificate in IPA installer and updater, for certificate extensions that must be present before installing or updating an IdM master or replica.
Not doing so result in a severly broken IdM deployment, the CA must be renewed and deployed, then the server certificates must be renewed.
It may not be clear what is an invalid or valid CA or SSL server certificate, but we should make sure a minimum set of extensions are present to allow for a working PKI trust chain validation.
A CA cert should have: - Certificate Authority Key Identifier - Certificate Basic Constraints Critical: True a length - Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Certificate Signing CRL Signing - Certificate Subject Key ID - Authority Information Access with method PKIX with oid 1.3.6.1.5.5.7.48.1 and a URI
A SSL sever cert should have: - Certificate Authority Key Identifier - Authority Information Access with method PKIX with oid 1.3.6.1.5.5.7.48.1 and a URI - Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment - Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate - CRL Distribution Points with URI and "CRL issuer" - Certificate Subject Key ID and at least a signature algorithm with SHA-256 With RSA Encryption
RH BZ 1489962
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1489962
Issue linked to bug 1489962
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @rcritten: - Issue tagged with: healthcheck
Login to comment on this ticket.