Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-23077

The 11.5.0 cert chain importer is stricter than previous versions

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-9.4.z
    • None
    • pki-core
    • Seen testing with HSMs but not likely related to that.

    • rhel-sst-idm-cs
    • 0
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      We have scenario in in our automation as following:

      •     Install CAless master
      •     Make caless master cafull with self signed ca ($ipa-ca-install )
      •     Renew self signed CA cert on master to external CA
      •     Renew external CA to self-signed on master
      •     Install replica with CA (--setup-ca) against the master

      The import of this "chain" is failing with:

      DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias pkcs7-cert-import --pkcs7 /tmp/tmpo22mm2_y/cert_chain.p7b --input-file /tmp/tmpq3alxilv/cert.pem --append --debug
      INFO: Initializing NSS
      INFO: Using internal token
      INFO: Loading certificates from /tmp/tmpo22mm2_y/cert_chain.p7b
      INFO: - CN=CA,O=Example Organization España
      INFO: Importing certificates from /tmp/tmpq3alxilv/cert.pem
      INFO: - CN=Certificate Authority,O=TESTRELM.TEST
      INFO: Storing certificates into /tmp/tmpo22mm2_y/cert_chain.p7b
      java.lang.Exception: Multiple leaf certificates: [CN=CA, O=Example Organization España], [CN=Certificate Authority, O=TESTRELM.TEST]
      at org.mozilla.jss.netscape.security.util.Cert.sortCertificateChain(Cert.java:308)
      at org.mozilla.jss.netscape.security.x509.CertificateChain.sort(CertificateChain.java:111)
      at org.mozilla.jss.netscape.security.x509.CertificateChain.toPKCS7(CertificateChain.java:234)
      at com.netscape.cmstools.pkcs7.PKCS7CertImportCLI.execute(PKCS7CertImportCLI.java:119)
      at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
      at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
      DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends
      ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', 'pkcs7-cert-import', '--pkcs7', '/tmp/tmpo22mm2_y/cert_chain.p7b', '--input-file', '/tmp/tmpq3alxilv/cert.pem', '--append', '--debug']' returned non-zero exit status 255.
      File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main
      deployer.spawn()
      File "/usr/lib/python3.9/site-packages/pki/server/deployment/{}init{}.py", line 4854, in spawn
      scriptlet.spawn(self)
      File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 63, in spawn
      deployer.import_system_certs(nssdb, subsystem)
      File "/usr/lib/python3.9/site-packages/pki/server/deployment/{}init{}.py", line 2248, in import_system_certs
      self.import_cert_chain(nssdb)
      File "/usr/lib/python3.9/site-packages/pki/server/deployment/{}init{}.py", line 2192, in import_cert_chain
      nssdb.import_cert_chain(
      File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 2314, in import_cert_chain
      self.__convert_certs_into_pkcs7(pem_parts, input_file)
      File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 2288, in __convert_certs_into_pkcs7
      self.run(cmd, check=True)
      File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 326, in run
      result = subprocess.run(
      File "/usr/lib64/python3.9/subprocess.py", line 528, in run
      raise CalledProcessError(retcode, process.args,2023-12-06T07:59:50Z CRITICAL Failed to configure CA instance
      2023-12-06T07:59:50Z CRITICAL See the installation logs and the following files/directories for more information:
      2023-12-06T07:59:50Z CRITICAL /var/log/pki/pki-tomcat
      2023-12-06T07:59:50Z DEBUG Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
      run_step(full_msg, method)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
      method()
      File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 680, in __spawn_instance
      DogtagInstance.spawn_instance(
      File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
      self.handle_setup_error(e)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error
      raise RuntimeError(
      RuntimeError: CA configuration failed.2023-12-06T07:59:50Z DEBUG [error] RuntimeError: CA configuration failed.
      2023-12-06T07:59:50Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
      2023-12-06T07:59:50Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
      return_value = self.run()
      File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run
      return cfgr.run()
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run
      return self.execute()
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute
      for rval in self._executor():
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner
      exc_handler(exc_info)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
      self._handle_exception(exc_info)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
      six.reraise(*exc_info)
      File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
      raise value
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner
      step()
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next
      return next(self.__gen)
      File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
      six.reraise(*exc_info)
      File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
      raise value
      File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
      value = gen.send(prev_value)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure
      next(executor)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner
      exc_handler(exc_info)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
      self._handle_exception(exc_info)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception
      self.__parent._handle_exception(exc_info)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
      six.reraise(*exc_info)
      File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
      raise value
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception
      super(ComponentBase, self)._handle_exception(exc_info)
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
      six.reraise(*exc_info)
      File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
      raise value
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner
      step()
      File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next
      return next(self.__gen)
      File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
      six.reraise(*exc_info)
      File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
      raise value
      File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
      value = gen.send(prev_value)
      File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install
      for unused in self._installer(self.parent):
      File "/usr/lib/python3.9/site-packages/ipaserver/install/server/{}init{}.py", line 640, in main
      replica_install(self)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 383, in decorated
      func(installer)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1367, in install
      ca.install(False, config, options, custodia=custodia)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 579, in install
      install_step_0(standalone, replica_config, options, custodia=custodia)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 659, in install_step_0
      ca.configure_instance(
      File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 515, in configure_instance
      self.start_creation(runtime=runtime)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
      run_step(full_msg, method)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
      method()
      File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 680, in __spawn_instance
      DogtagInstance.spawn_instance(
      File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
      self.handle_setup_error(e)
      File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error
      raise RuntimeError(2023-12-06T07:59:50Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
      2023-12-06T07:59:50Z ERROR CA configuration failed.
      2023-12-06T07:59:50Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
      [root@replica ~]#

      This same chain can be imported with 11.4.0 and before.

      See https://issues.redhat.com/browse/FREEIPA-10630 for additional details

              edewata Endi Dewata
              rhn-engineering-rcrit Rob Crittenden
              RHCS Maintenance RHCS Maintenance
              no-user-match-found no-user-match-found
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: