#7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
Closed: fixed 2 years ago Opened 2 years ago by cheimes.

Issue

Promotion of a client to replica fails with Certificate issuance failed (CA_REJECTED) in configuring TLS for DS instance step. I'm seeing an ACIError in the HTTPD error log on master.

Steps to Reproduce

  1. install master
  2. install client on second machine
  3. promote client to master

Actual behavior

...
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    Certificate issuance failed (CA_REJECTED)
2018-03-26T16:58:02Z DEBUG certmonger request is in state dbus.String('GENERATING_KEY_PAIR', variant_level=1)
2018-03-26T16:58:07Z DEBUG certmonger request is in state dbus.String('CA_REJECTED', variant_level=1)
2018-03-26T16:58:07Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 556, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 542, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 843, in __enable_ssl
    post_command=cmd
  File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
    raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)

HTTPD error log on master:

[Mon Mar 26 18:58:03.807187 2018] [wsgi:error] [pid 65845:tid 140410194355968] [remote 2620:52:0:25aa:21a:4aff:fe23:15ce:38120] ipa: INFO: [xmlserver] host/replica.ipa.example@IPA.EXAMPLE: cert_request('MIIE...', profile_id='caIPAserviceCert', principal='ldap/replica.ipa.example@IPA.EXAMPLE', add=True, version='2.51'): ACIError

389-DS log on master

[26/Mar/2018:18:58:03.772887190 +0200] conn=13 op=4 SRCH base="ou=People,o=ipaca" scope=2 filter="(description=2;7;CN=Certificate Authority,O=IPA.EXAMPLE;CN=IPA RA,O=IPA.EXAMPLE)" attrs=ALL
[26/Mar/2018:18:58:03.774034449 +0200] conn=13 op=4 RESULT err=0 tag=101 nentries=1 etime=0.1148511400
[26/Mar/2018:18:58:03.777821483 +0200] conn=13 op=5 SRCH base="uid=ipara,ou=People,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL
[26/Mar/2018:18:58:03.778012710 +0200] conn=13 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0003814296
[26/Mar/2018:18:58:03.780014222 +0200] conn=13 op=6 SRCH base="ou=Groups,o=ipaca" scope=1 filter="(&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))" attrs="cn description"
[26/Mar/2018:18:58:03.780492986 +0200] conn=13 op=6 RESULT err=0 tag=101 nentries=2 etime=0.0002412133
[26/Mar/2018:18:58:03.796040450 +0200] conn=147 op=8 SRCH base="cn=accounts,dc=ipa,dc=example" scope=2 filter="(&(krbPrincipalName=ldap/replica.ipa.example@IPA.EXAMPLE)(objectClass=krbprincipalaux))" attrs=ALL
[26/Mar/2018:18:58:03.797512877 +0200] conn=147 op=8 RESULT err=0 tag=101 nentries=1 etime=0.0001823056
[26/Mar/2018:18:58:03.799480606 +0200] conn=147 op=9 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin"
[26/Mar/2018:18:58:03.799660705 +0200] conn=147 op=9 RESULT err=0 tag=120 nentries=0 etime=0.0000470062
[26/Mar/2018:18:58:03.800479789 +0200] conn=147 op=10 SRCH base="cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=ipa,dc=example" scope=0 filter="(objectClass=*)" attrs="objectClass"
[26/Mar/2018:18:58:03.802498308 +0200] conn=147 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0002345011 - entryLevelRights: none
[26/Mar/2018:18:58:03.805428769 +0200] conn=147 op=11 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory cn memberHost serviceCategory hostCategory ipaCertProfileCategory ipaMemberCertProfile memberUser description ipaCaCategory ipaMemberCa memberService"
[26/Mar/2018:18:58:03.806038255 +0200] conn=147 op=11 RESULT err=0 tag=101 nentries=0 etime=0.0000845566
[26/Mar/2018:18:58:03.808289300 +0200] conn=147 op=12 UNBIND
[26/Mar/2018:18:58:03.808316545 +0200] conn=147 op=12 fd=123 closed - U1

Expected behavior

No error

Version/Release/Distribution

freeipa-server-4.6.90.pre1.dev201803261110+git1fe795b75-0.fc28.x86_64
freeipa-client-4.6.90.pre1.dev201803261110+git1fe795b75-0.fc28.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.6-2.fc28.x86_64
pki-ca-10.6.0-0.2.fc28.noarch
krb5-server-1.16-12.fc28.x86_64

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting


I have enrolled the machine with user admin and kinit admin before ipa-replica-install.

I might send you barking up the wrong tree but I'd try this:

kinit admin && ipa caacl-find
kdestroy -A
kinit -kt /etc/krb5.keytab && ipa caacl-find

I think the first will return an entry and the second will not.

Yeah, but how is that related to the issue? Does the installer kinit with the host keytab during the installation? I started installation with an admin principal TGT.

# kinit admin && ipa caacl-find
Password for admin@IPA.EXAMPLE
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
----------------------------
Number of entries returned 1
----------------------------
[root@vm-197 cheimes]# kdestroy -A
[root@vm-197 cheimes]# kinit -kt /etc/krb5.keytab && ipa caacl-find
-----------------
0 CA ACLs matched
-----------------
----------------------------
Number of entries returned 0
----------------------------

certmonger runs as the host.

I'm able to reproduce the issue with ldapsearch. An ldapsearch with admin TGT and scope one works. An ldapsearch with host TGT fails with scope one, but works with scope subtree. Could it be a regression in 389-DS? The system has 389-ds-base-1.4.0.6-2.fc28.x86_64.

ipa caacl-find with host TGT

$ ipa caacl-find
-----------------
0 CA ACLs matched
-----------------
----------------------------
Number of entries returned 0
----------------------------


[28/Mar/2018:10:45:57.523970901 +0200] conn=656 op=2 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn"
[28/Mar/2018:10:45:57.524504632 +0200] conn=656 op=2 RESULT err=0 tag=101 nentries=0 etime=0.0000840426

ldapsearch with host TGT and scope one

# ldapsearch -Y GSSAPI -s one -b "cn=caacls,cn=ca,dc=ipa,dc=example" "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn
SASL/GSSAPI authentication started
SASL username: host/replica.ipa.example@IPA.EXAMPLE
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=caacls,cn=ca,dc=ipa,dc=example> with scope oneLevel
# filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl))
# requesting: ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn 
#

# search result
search: 4
result: 0 Success

# numResponses: 1

[28/Mar/2018:10:47:11.824472895 +0200] conn=657 op=3 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn"
[28/Mar/2018:10:47:11.825181116 +0200] conn=657 op=3 RESULT err=0 tag=101 nentries=0 etime=0.0001117036

ldapsearch with host TGT and scope subtree

# ldapsearch -Y GSSAPI -s sub -b "cn=caacls,cn=ca,dc=ipa,dc=example" "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn
SASL/GSSAPI authentication started
SASL username: host/replica.ipa.example@IPA.EXAMPLE
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=caacls,cn=ca,dc=ipa,dc=example> with scope subtree
# filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl))
# requesting: ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn 
#

# 090ffd12-3112-11e8-b258-001a4a2315cc, caacls, ca, ipa.example
dn: ipaUniqueID=090ffd12-3112-11e8-b258-001a4a2315cc,cn=caacls,cn=ca,dc=ipa,dc=example
ipaEnabledFlag: TRUE
serviceCategory: all
hostCategory: all
cn: hosts_services_caIPAserviceCert

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

[28/Mar/2018:10:47:44.584854957 +0200] conn=658 op=3 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=2 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn"
[28/Mar/2018:10:47:44.585895372 +0200] conn=658 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0001390817

ldapsearch with admin TGT and scope one

# ldapsearch -Y GSSAPI -s one -b "cn=caacls,cn=ca,dc=ipa,dc=example" "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn
SASL/GSSAPI authentication started
SASL username: admin@DOM-117.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=caacls,cn=ca,dc=ipa,dc=example> with scope oneLevel
# filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl))
# requesting: ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn 
#

# 090ffd12-3112-11e8-b258-001a4a2315cc, caacls, ca, ipa.example
dn: ipaUniqueID=090ffd12-3112-11e8-b258-001a4a2315cc,cn=caacls,cn=ca,dc=ipa,dc=example
ipaEnabledFlag: TRUE
serviceCategory: all
hostCategory: all
cn: hosts_services_caIPAserviceCert

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Metadata Update from @abbra:
- Issue assigned to abbra

2 years ago

I added an anonymous access ACI to allow reading parentid as suggested by @tbordaz
The following pull request can be used to track the fix: https://github.com/freeipa/freeipa/pull/1752

master:

  • 34d06b2 Allow anonymous access to parentID attribute

The workaround works like a charm.

Metadata Update from @cheimes:
- Issue close_status updated to: fixed

2 years ago

Metadata Update from @ftweedal:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1588109

2 years ago

ipa-4-6:

  • f6a651d Allow anonymous access to parentID attribute

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.7)

2 years ago

Login to comment on this ticket.

Metadata