Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-84521

IPA server with external CA Network error validating certificates

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • ipa
    • None
    • No
    • None
    • 1
    • rhel-idm-ipa
    • ssg_idm
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • 2025-Q1-Alpha-S6
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Querying an IPA server for certificates (with ipa cert-show) on a server setup using an external CA fails with the following:

      [root@ipa httpd]# ipa cert-show 98108463449865513376122289149129954799
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$0380a493...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$0380a493.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.baseuser
ipa: DEBUG: ipaclient.plugins.baseuser is not a valid plugin module
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.stageuser
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@SMARTCARD.TEST', cookie: 'ipa_session=MagBearerToken=VVqqBLIb48F%2fConVHh6hGTE5lgxxAbXsx93cQOofzjJQgKvVNcw6iWeUQxP6SpbXWHcMUUOjLN5OGutpFoOuOi2mkyzmUuzUFbnYwpwSO7UHBOe%2fZndBHlxY4PHj2Wh8kBiI4daPtboBFP3z1hywnXbGCZxEasmd247q6pvYNkEG5ji8X%2bfqQ2uCqXyxD%2b9IpvESEjV9lJt5LjBsgjjpGA%3d%3d'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=VVqqBLIb48F%2fConVHh6hGTE5lgxxAbXsx93cQOofzjJQgKvVNcw6iWeUQxP6SpbXWHcMUUOjLN5OGutpFoOuOi2mkyzmUuzUFbnYwpwSO7UHBOe%2fZndBHlxY4PHj2Wh8kBiI4daPtboBFP3z1hywnXbGCZxEasmd247q6pvYNkEG5ji8X%2bfqQ2uCqXyxD%2b9IpvESEjV9lJt5LjBsgjjpGA%3d%3d;'
ipa: DEBUG: trying https://ipa.smartcard.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139684483411040
ipa: DEBUG: raw: cert_show('98108463449865513376122289149129954799', version='2.254')
ipa: DEBUG: cert_show('98108463449865513376122289149129954799', version='2.254')
ipa: DEBUG: [try 1]: Forwarding 'cert_show/1' to json server 'https://ipa.smartcard.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (ipa.smartcard.test)
ipa: DEBUG: Destroyed connection context.rpcclient_139684483411040
ipa: ERROR: cannot connect to 'https://ipa.smartcard.test:443/ca/rest/certs/98108463449865513376122289149129954799': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure (_ssl.c:2580)

      What is the impact of this issue to you?

      This is preventing smart card setups from working on IPA servers with an external CA.   Initially I found this trying to issue certificates from the IPA server.

      Please provide the package NVR for which the bug is seen:

      ipa-server-4.12.2-15.el10.x86_64

      How reproducible is this bug?:

      Appears to be consistent.

      Steps to reproduce

      1. Setup local external CA with openssl
      2. Run ipa-server-install with --external-ca option
      3. Use ipa.csr with the CA to issue certificate for IPA server
      4. Run ipa-server-install again using the root CA cert and new IPA cert.
      5. Enable OCSP checking in /etc/httpd/conf.d/ssl.conf for the WebUI/API
      6. Run ipa cert-show 

      Expected results

      1. ipa cert-show returns the certificate information without error

      Actual results

      1. error seen as shown above.

        1. reproducer.txt
          3 kB

              frenaud@redhat.com Florence Renaud
              spoore@redhat.com Scott Poore
              Florence Renaud Florence Renaud
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: