freeipa

Clone
Source Code
GIT

#9770 After the KRA certs renewal KRA installation failing on replica in ipa-4.11
Closed: fixed 3 months ago by sumenon. Opened 3 months ago by amore.

Closed: fixed
Reopen Issue

Steps to reproduce:
Install master with kra
Renew KRA subsystem certificates
Install replica with CA after the KRA certs renewal
Install KRA on replica

FINE: Response:
{
  "Response" : {
    "Status" : "1",
    "Error" : "Unable to add KRA connector for https://replica.ufreeipa.test:8443: KRA connector already exists"
  }
}
FINE: CAClient: Response: {
  "Response" : {
    "Status" : "1",
    "Error" : "Unable to add KRA connector for https://replica.ufreeipa.test:8443: KRA connector already exists"
  }
}
Edited 3 months ago by amore

Metadata Update from @amore:
- Issue tagged with: test-failure, tests
3 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud
3 months ago

The issue happens only in selinux enforcing mode. In the journal of the master, we can see the following message when one of KRA certs is renewed:

Mar 26 13:31:42 master.ufreeipa.test kernel: audit: type=1400 audit(1742995902.128:4831): avc:  denied  { read } for  pid=27995 comm="python3.12" name="ca" dev="vda5" ino=111903 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
Mar 26 13:31:42 master.ufreeipa.test audit[27995]: AVC avc:  denied  { read } for  pid=27995 comm="python3.12" name="ca" dev="vda5" ino=111903 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0

I suspect this happens because the script renew_ca_cert is now checking if the KRA is installed:
https://pagure.io/freeipa/blob/a51c8b9397f0c5cdb2660c6e49478ab19f0138cd/f/install/restart_scripts/renew_ca_cert.in#_88-89

        if kra.is_installed():
            kra.update_cert_config(nickname, cert)

and if the call fails it considers that kra is not installed and skips the update of the CS.cfg file:
https://pagure.io/freeipa/blob/a51c8b9397f0c5cdb2660c6e49478ab19f0138cd/f/ipaserver/install/dogtaginstance.py#_176-189

    def is_installed(self):
        """
        Determine if subsystem instance has been installed.

        Returns True/False
        """
        try:
            result = ipautil.run(
                ['pki-server', 'subsystem-show', self.subsystem.lower()],
                capture_output=True)
            # parse the command output
            return 'Enabled: ' in result.output
        except ipautil.CalledProcessError:
            return False

As the helper is launched by certmonger, it has the security context certmonger_t but is lacking permissions to read the "ca" dir that has pki_tomcat_var_lib_t context.

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7752
3 months ago

ipa-4-11:

  • 1d3b43f KRA cert renewal: allow certmonger_t to read "ca" dir
  • 2310977 Temp commit

Metadata Update from @sumenon:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 months ago

ipa-4-11:

Log in to comment on this ticket.

Metadata

tests test-failure

None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/7752
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.