I noticed that one of my FreeIPA servers is missing the Vault tab in the web UI.
I've got a workaround but it seems a bit fishy and I wondered if someone else could suggest a better fix.
The server in question is the only one that runs CentOS 8 (ipa-server 4.8.0-13.module_el8.1.0+265+e1e65be4). My other servers are running CentOS 7 and work fine.
The command 'ipa vaultconfig-show' fails when run against the bad server with:
[admin@client ~]$ ipa -vv vaultconfig-show [...] ipa: INFO: Request: { "id": 0, "method": "vaultconfig_show/1", "params": [ [], { "version": "2.233" } ] } ipa: INFO: Response: { "error": { "code": 903, "data": {}, "message": "an internal error has occurred", "name": "InternalError" }, "id": 0, "principal": "admin@IPA.EXAMPLE.COM", "result": null, "version": "4.8.0" } ipa: ERROR: an internal error has occurred
The corresponding httpd logs on the server (192.0.2.1 is my client, the server is [2001:db8::1]) contain:
==> /var/log/httpd/access_log <== 192.0.2.1 - admin@IPA.EXAMPLE.COM [18/Mar/2020:08:31:50 +0000] "POST /ipa/json HTTP/1.1" 200 210
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:51.760354 2020] [:warn] [pid 22279:tid 139671875061504] [client 192.0.2.1:62546] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.EXAMPLE.COM)!, referer: https://ipa2.ipa.example.com/ipa/xml [Wed Mar 18 08:31:51.807084 2020] [wsgi:error] [pid 22274:tid 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE.COM: ping(): SUCCESS
==> /var/log/httpd/access_log <== 192.0.2.1 - admin@IPA.EXAMPLE.COM [18/Mar/2020:08:31:51 +0000] "POST /ipa/session/json HTTP/1.1" 200 276
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:51.917275 2020] [:warn] [pid 22279:tid 139671891846912] [client 192.0.2.1:62546] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.EXAMPLE.COM)!, referer: https://ipa2.ipa.example.com/ipa/xml
==> /var/log/httpd/access_log <== 2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /pki/rest/info HTTP/1.1" 404 211
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:52.582003 2020] [ssl:error] [pid 23219:tid 139671598266112] [client 2001:db8::1:44620] AH: verify client post handshake [Wed Mar 18 08:31:52.582101 2020] [ssl:error] [pid 23219:tid 139671598266112] [client 2001:db8::1:44620] AH10158: cannot perform post-handshake authentication [Wed Mar 18 08:31:52.582207 2020] [ssl:error] [pid 23219:tid 139671598266112] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
==> /var/log/httpd/access_log <== 2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /kra/rest/config/cert/transport HTTP/1.1" 403 298
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:52.586053 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ipa: ERROR: non-public: HTTPError: 403 Client Error: Forbidden for url: https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport [Wed Mar 18 08:31:52.586100 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent call last): [Wed Mar 18 08:31:52.586106 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 429, in handler [Wed Mar 18 08:31:52.586112 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] json = exc_val.response.json() [Wed Mar 18 08:31:52.586116 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/requests/models.py", line 897, in json [Wed Mar 18 08:31:52.586121 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return complexjson.loads(self.text, **kwargs) [Wed Mar 18 08:31:52.586127 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/__init__.py", line 354, in loads [Wed Mar 18 08:31:52.586133 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return _default_decoder.decode(s) [Wed Mar 18 08:31:52.586137 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode [Wed Mar 18 08:31:52.586142 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] obj, end = self.raw_decode(s, idx=_w(s, 0).end()) [Wed Mar 18 08:31:52.586146 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode [Wed Mar 18 08:31:52.586151 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise JSONDecodeError("Expecting value", s, err.value) from None [Wed Mar 18 08:31:52.586156 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) [Wed Mar 18 08:31:52.586160 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] [Wed Mar 18 08:31:52.586165 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] During handling of the above exception, another exception occurred: [Wed Mar 18 08:31:52.586169 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] [Wed Mar 18 08:31:52.586174 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent call last): [Wed Mar 18 08:31:52.586179 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute [Wed Mar 18 08:31:52.586184 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] result = command(*args, **options) [Wed Mar 18 08:31:52.586189 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__ [Wed Mar 18 08:31:52.586194 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return self.__do_call(*args, **options) [Wed Mar 18 08:31:52.586199 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call [Wed Mar 18 08:31:52.586204 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ret = self.run(*args, **options) [Wed Mar 18 08:31:52.586209 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run [Wed Mar 18 08:31:52.586214 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return self.execute(*args, **options) [Wed Mar 18 08:31:52.586252 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/vault.py", line 1003, in execute [Wed Mar 18 08:31:52.586258 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] transport_cert = kra_client.system_certs.get_transport_cert() [Wed Mar 18 08:31:52.586263 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 434, in handler [Wed Mar 18 08:31:52.586267 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] six.reraise(exc_type, exc_val, exc_tb) [Wed Mar 18 08:31:52.586272 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise [Wed Mar 18 08:31:52.586277 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise value [Wed Mar 18 08:31:52.586281 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler [Wed Mar 18 08:31:52.586286 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return fn_call(inst, *args, **kwargs) [Wed Mar 18 08:31:52.586290 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/systemcert.py", line 54, in get_transport_cert [Wed Mar 18 08:31:52.586295 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] response = self.connection.get(url, self.headers) [Wed Mar 18 08:31:52.586300 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper [Wed Mar 18 08:31:52.586305 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return func(self, *args, **kwargs) [Wed Mar 18 08:31:52.586309 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get [Wed Mar 18 08:31:52.586314 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] r.raise_for_status() [Wed Mar 18 08:31:52.586319 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status [Wed Mar 18 08:31:52.586324 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise HTTPError(http_error_msg, response=self) [Wed Mar 18 08:31:52.586330 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport [Wed Mar 18 08:31:52.586340 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] [Wed Mar 18 08:31:52.586647 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE.COM: vaultconfig_show/1(version='2.235'): InternalError
==> /var/log/httpd/access_log <== 192.0.2.1 - admin@IPA.EXAMPLE.COM [18/Mar/2020:08:31:51 +0000] "POST /ipa/session/json HTTP/1.1" 200 173
It looks like the ipa api server requests /kra/rest/config/cert/transport, which httpd normally proxies through to tomcat; but there's something about the request that causes mod_ssl to reject it ("cannot perform post-handshake authentication").
Unauthenticated requests to that URL work fine:
# curl -s https://ipa2.ipa.example.com/kra/rest/config/cert/transport | head -n1 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertData xmlns:ns2="http://www.w3.org/2005/Atom" id="0xb"><Encoded>-----BEGIN CERTIFICATE-----
If I reconfigure httpd with "SSLProtocol +TLSv1.2 -TLSv1.3" then the problem goes away. As far as I know, the default in RHEL 8 is to _not_ include an SSLProtocol line so that the system-wide crypto-policies(5) will be used. Hence this feels like the wrong solution to me.
Interestingly, "SSLProtocol -TLSv1.3" causes httpd to fail to start with "AH02231: No SSL protocols available [hint: SSLProtocol]"... even though (testing with sslyze), no SSLProtocol directive leaves only TLSv1.2 and TLSv1.3 enabled...
-- Sam Morris https://robots.org.uk/ PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
Sam Morris via FreeIPA-users wrote:
I noticed that one of my FreeIPA servers is missing the Vault tab in the web UI.
I've got a workaround but it seems a bit fishy and I wondered if someone else could suggest a better fix.
The server in question is the only one that runs CentOS 8 (ipa-server 4.8.0-13.module_el8.1.0+265+e1e65be4). My other servers are running CentOS 7 and work fine.
The command 'ipa vaultconfig-show' fails when run against the bad server with:
[admin@client ~]$ ipa -vv vaultconfig-show [...] ipa: INFO: Request: { "id": 0, "method": "vaultconfig_show/1", "params": [ [], { "version": "2.233" } ] } ipa: INFO: Response: { "error": { "code": 903, "data": {}, "message": "an internal error has occurred", "name": "InternalError" }, "id": 0, "principal": "admin@IPA.EXAMPLE.COM", "result": null, "version": "4.8.0" } ipa: ERROR: an internal error has occurred
The corresponding httpd logs on the server (192.0.2.1 is my client, the server is [2001:db8::1]) contain:
==> /var/log/httpd/access_log <== 192.0.2.1 - admin@IPA.EXAMPLE.COM [18/Mar/2020:08:31:50 +0000] "POST /ipa/json HTTP/1.1" 200 210
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:51.760354 2020] [:warn] [pid 22279:tid 139671875061504] [client 192.0.2.1:62546] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.EXAMPLE.COM)!, referer: https://ipa2.ipa.example.com/ipa/xml [Wed Mar 18 08:31:51.807084 2020] [wsgi:error] [pid 22274:tid 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE.COM: ping(): SUCCESS
==> /var/log/httpd/access_log <== 192.0.2.1 - admin@IPA.EXAMPLE.COM [18/Mar/2020:08:31:51 +0000] "POST /ipa/session/json HTTP/1.1" 200 276
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:51.917275 2020] [:warn] [pid 22279:tid 139671891846912] [client 192.0.2.1:62546] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.EXAMPLE.COM)!, referer: https://ipa2.ipa.example.com/ipa/xml
==> /var/log/httpd/access_log <== 2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /pki/rest/info HTTP/1.1" 404 211
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:52.582003 2020] [ssl:error] [pid 23219:tid 139671598266112] [client 2001:db8::1:44620] AH: verify client post handshake [Wed Mar 18 08:31:52.582101 2020] [ssl:error] [pid 23219:tid 139671598266112] [client 2001:db8::1:44620] AH10158: cannot perform post-handshake authentication [Wed Mar 18 08:31:52.582207 2020] [ssl:error] [pid 23219:tid 139671598266112] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
==> /var/log/httpd/access_log <== 2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /kra/rest/config/cert/transport HTTP/1.1" 403 298
==> /var/log/httpd/error_log <== [Wed Mar 18 08:31:52.586053 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ipa: ERROR: non-public: HTTPError: 403 Client Error: Forbidden for url: https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport [Wed Mar 18 08:31:52.586100 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent call last): [Wed Mar 18 08:31:52.586106 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 429, in handler [Wed Mar 18 08:31:52.586112 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] json = exc_val.response.json() [Wed Mar 18 08:31:52.586116 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/requests/models.py", line 897, in json [Wed Mar 18 08:31:52.586121 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return complexjson.loads(self.text, **kwargs) [Wed Mar 18 08:31:52.586127 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/__init__.py", line 354, in loads [Wed Mar 18 08:31:52.586133 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return _default_decoder.decode(s) [Wed Mar 18 08:31:52.586137 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode [Wed Mar 18 08:31:52.586142 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] obj, end = self.raw_decode(s, idx=_w(s, 0).end()) [Wed Mar 18 08:31:52.586146 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode [Wed Mar 18 08:31:52.586151 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise JSONDecodeError("Expecting value", s, err.value) from None [Wed Mar 18 08:31:52.586156 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) [Wed Mar 18 08:31:52.586160 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] [Wed Mar 18 08:31:52.586165 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] During handling of the above exception, another exception occurred: [Wed Mar 18 08:31:52.586169 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] [Wed Mar 18 08:31:52.586174 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent call last): [Wed Mar 18 08:31:52.586179 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute [Wed Mar 18 08:31:52.586184 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] result = command(*args, **options) [Wed Mar 18 08:31:52.586189 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__ [Wed Mar 18 08:31:52.586194 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return self.__do_call(*args, **options) [Wed Mar 18 08:31:52.586199 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call [Wed Mar 18 08:31:52.586204 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ret = self.run(*args, **options) [Wed Mar 18 08:31:52.586209 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run [Wed Mar 18 08:31:52.586214 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return self.execute(*args, **options) [Wed Mar 18 08:31:52.586252 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/vault.py", line 1003, in execute [Wed Mar 18 08:31:52.586258 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] transport_cert = kra_client.system_certs.get_transport_cert() [Wed Mar 18 08:31:52.586263 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 434, in handler [Wed Mar 18 08:31:52.586267 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] six.reraise(exc_type, exc_val, exc_tb) [Wed Mar 18 08:31:52.586272 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise [Wed Mar 18 08:31:52.586277 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise value [Wed Mar 18 08:31:52.586281 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler [Wed Mar 18 08:31:52.586286 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return fn_call(inst, *args, **kwargs) [Wed Mar 18 08:31:52.586290 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/systemcert.py", line 54, in get_transport_cert [Wed Mar 18 08:31:52.586295 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] response = self.connection.get(url, self.headers) [Wed Mar 18 08:31:52.586300 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper [Wed Mar 18 08:31:52.586305 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return func(self, *args, **kwargs) [Wed Mar 18 08:31:52.586309 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get [Wed Mar 18 08:31:52.586314 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] r.raise_for_status() [Wed Mar 18 08:31:52.586319 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status [Wed Mar 18 08:31:52.586324 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise HTTPError(http_error_msg, response=self) [Wed Mar 18 08:31:52.586330 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport [Wed Mar 18 08:31:52.586340 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] [Wed Mar 18 08:31:52.586647 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE.COM: vaultconfig_show/1(version='2.235'): InternalError
==> /var/log/httpd/access_log <== 192.0.2.1 - admin@IPA.EXAMPLE.COM [18/Mar/2020:08:31:51 +0000] "POST /ipa/session/json HTTP/1.1" 200 173
It looks like the ipa api server requests /kra/rest/config/cert/transport, which httpd normally proxies through to tomcat; but there's something about the request that causes mod_ssl to reject it ("cannot perform post-handshake authentication").
Unauthenticated requests to that URL work fine:
# curl -s https://ipa2.ipa.example.com/kra/rest/config/cert/transport | head -n1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertData xmlns:ns2="http://www.w3.org/2005/Atom" id="0xb"><Encoded>-----BEGIN CERTIFICATE-----
If I reconfigure httpd with "SSLProtocol +TLSv1.2 -TLSv1.3" then the problem goes away. As far as I know, the default in RHEL 8 is to _not_ include an SSLProtocol line so that the system-wide crypto-policies(5) will be used. Hence this feels like the wrong solution to me.
Interestingly, "SSLProtocol -TLSv1.3" causes httpd to fail to start with "AH02231: No SSL protocols available [hint: SSLProtocol]"... even though (testing with sslyze), no SSLProtocol directive leaves only TLSv1.2 and TLSv1.3 enabled...
My memory is a bit fuzzy on this but IIRC there were issues with TLS 1.3 and java (or JSS) in this release. I thought that 1.3 was disabled by default, apparently not.
If there is no SSLProtocol line then Apache will use the default crypto policy, which is apparently 1.2 and 1.3. I suspect the subtraction doesn't work because there is no explicit policy to subtract from and since there is an SSLProtocol the fallback to default policy isn't triggered. You could open a bug against Apache on that but it might be impossible or very difficult to implement because the crypto policy is opaque.
My memory is a bit fuzzy on this but IIRC there were issues with TLS 1.3 and java (or JSS) in this release. I thought that 1.3 was disabled by default, apparently not.
Thanks. I guess we ran into < https://bz.apache.org/bugzilla/show_bug.cgi?id=62975%3E and the IPA api hasn't enabled < https://docs.python.org/3/library/ssl.html#ssl.SSLContext.post_handshake_aut...
(which was backported to Python 3.6 despite what the documentation
says, per https://bugs.python.org/issue34670#msg327932). But I've not delved in to the code to confirm whether this is the case.
If there is no SSLProtocol line then Apache will use the default crypto policy, which is apparently 1.2 and 1.3. I suspect the subtraction doesn't work because there is no explicit policy to subtract from and since there is an SSLProtocol the fallback to default policy isn't triggered. You could open a bug against Apache on that but it might be impossible or very difficult to implement because the crypto policy is opaque.
I'll deal with explicitly enable TLSv1.2 for now. :)
freeipa-users@lists.fedorahosted.org