freeipa

Clone
Source Code
GIT

#9462 Server install: failure to install with externally signed CA because of timezone issue
Closed: fixed 7 months ago by frenaud. Opened 7 months ago by frenaud.

Closed: fixed
Reopen Issue

Issue

ipa-server-install with externally signed CA refuses to install because it thinks the cert is not valid yet, although the CA cert is in the right time range.

Steps to Reproduce

  1. Generate a CSR with ipa-server-install --domain ipa.test --realm IPA.TEST -a $PWS -p $PWD --external-ca -U
  2. sign the CSR /root/ipa.csr with your external ca
  3. Continue the installation with the CA cert: ipa-server-install --domain ipa.test --realm IPA.test -a Secret123 -p Secret123 --external-cert-file /tmp/ipa/ext_nssdb/chain.crt -U

Actual behavior

The installation fails because the installer thinks the cert is not yet valid:

# ipa-server-install --domain ipa.test --realm IPA.test -a Secret123 -p Secret123 --external-cert-file /tmp/ipa/ext_nssdb/chain.crt -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.11.0

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

CA certificate CN=Certificate Authority,O=IPA.TEST in /tmp/ipa/ext_nssdb/chain.crt is not valid: not valid before 2023-10-06 17:57:13+00:00 UTC is in the future.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The cert is already valid but the installer gets mixed up with the timezone:

# openssl x509 -noout -startdate -in /tmp/ipa/ext_nssdb/chain.crt 
notBefore=Oct  6 13:57:13 2023 GMT

Reproduced with freeipa-server 4.11.0-5.fc39

The installer is loading the certificate using the method ipalib.x509.load_pem_x509_certificate which internally uses cryptography.x509.load_pem_x509_certificate().

When the not_valid_before value is computed, the timezone is applied on the cryptography's certificate not_valid_before value, which results in applying twice the time delta.
Based on the doc at https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.not_valid_before, the code should probably switch to not_valid_before_utc() to remove any confusion.

Metadata Update from @frenaud:
- Issue assigned to frenaud
7 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7044
7 months ago

master:

  • b6af3a4 ipalib: fix the IPACertificate validity dates

ipa-4-11:

  • d9ad561 ipalib: fix the IPACertificate validity dates

ipa-4-10:

  • 12c59e7 ipalib: fix the IPACertificate validity dates

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
7 months ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-15443
6 months ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/7044
None
None
None
None
https://issues.redhat.com/browse/RHEL-15443
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.