#9277 kra/CS.cfg entries are not updated when KRA certificates are renewed
Opened a year ago by jh23453. Modified a year ago

On 2022-11-16 two of my four IPA server have this healthcheck error:

freeipa1, freeipa2:

  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "KRADogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
    "when": "20221116030029Z",
    "duration": "0.024925",
    "kw": {
      "key": "kra_sslserver",
      "nickname": "Server-Cert cert-pki-ca",
      "directive": "kra.sslserver.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
      "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kr\
a/conf/CS.cfg"
    }
  },

The servers freeipa1-3 are Fedora 36, freeipa4 is Fedora 37 - all uptodate.

All files /var/lib/pki/pki-tomcat/kra/conf/CS.cfg have changed last
in Nov/Dec 2021. Most likely due to me looking at that issue and only
"fixing" the error but not investigating the root cause. Let's see if we
can remedy that.

On freeipa1, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-13 15:27:35 CET.
On freeipa2, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-11 15:22:12 CET.

The certificates on freeipa3 and freeipa4 will be refreshed in Nov 2023.

On freeipa2 there are these CS.cfg files:

[root@freeipa2 ~]# ls -l /var/lib/pki/pki-tomcat/*/conf/CS.cfg
-rw-rw----. 1 pkiuser pkiuser 85469 11. Nov 15:22 /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
-rw-rw----. 1 pkiuser pkiuser 34418 18. Nov 2021  /var/lib/pki/pki-tomcat/kra/conf/CS.cfg

So it looks like the helper only refreshed the cert in ca, not on kra.
The certificate request has this post-save command:

    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"

When looking at the script, we call this for the cert:
python3.10/site-packages/ipaserver/install/cainstance.py:1157:
def update_cert_config(self, nickname, cert):

Which calls that function:
python3.10/site-packages/ipaserver/install/dogtaginstance.py:555:
def update_cert_cs_cfg(self, directive, cert):

But: there is no code to loop over the running services in pki-tomcat as
far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg

Some related discussions:
https://bugzilla.redhat.com/show_bug.cgi?id=1869893 says:

  1. Though the subsystems seem to be working without errors so far, we
    still would like to have copies of the cert in CS.cfg... In future,
    these redundant copies of cert will be removed from CS.cfg and the code
    will be altered to retrieve certs from its NSSDB.

I've collected the logs of the certificate refresh on freeipa2 and can
provide them, but there was no related error as far as I can see.

PKI thinks that CA and KRA are enabled in this instance:

[pkiuser@freeipa2 ~]$ pki-server status
  Instance ID: pki-tomcat
  Active: True
  Nuxwdog Enabled: False
  Unsecure Port: 8080
  Secure Port: 8443
  AJP Port: 8009
  Tomcat Port: 8005

  CA Subsystem:
    Type:                CA Clone (Security Domain)
    SD Name:             IPA
    SD Registration URL: https://freeipa2.example.org:8443
    Enabled:             True
    Unsecure URL:        http://freeipa2.example.org:8080/ca/ee/ca
    Secure Agent URL:    https://freeipa2.example.org:8443/ca/agent/ca
    Secure EE URL:       https://freeipa2.example.org:8443/ca/ee/ca
    Secure Admin URL:    https://freeipa2.example.org:8443/ca/services
    PKI Console URL:     https://freeipa2.example.org:8443/ca

  KRA Subsystem:
    Type:                KRA
    SD Name:             IPA
    SD Registration URL: https://freeipa2.example.org:443
    Enabled:             True
    Secure Agent URL:    https://freeipa2.example.org:8443/kra/agent/kra
    Secure Admin URL:    https://freeipa2.example.org:8443/kra/services
    PKI Console URL:     https://freeipa2.example.org:8443/kra

I'm checking with the PKI team what impact not updating the KRA Server-Cert value has operationally,.

There are two open, related issues in CS:

https://github.com/dogtagpki/pki/issues/2157
https://github.com/dogtagpki/pki/issues/2295

Only the first affects IPA directly, the copy of the certificate.

So for now we should ensure the KRA values are updated upon renewal.

Metadata Update from @rcritten:
- Issue priority set to: normal

a year ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

a year ago

The changes are relatively minor and obvious but they fail to work because the SELinux context of the subsystem directories is different and we don't have write access to the KRA CS.cfg.

CA unconfined_u:object_r:pki_tomcat_cert_t:s0
KRA unconfined_u:object_r:pki_tomcat_etc_rw_t:s

I'll attach my diff here for posterity. I'm waiting on word back from the PKI team who owns the policy and whether this difference is intentional or not.

Login to comment on this ticket.

Metadata