httpinstance: disable system trust module in /etc/httpd/alias #531
Conversation
|
Your solution is just a temporary solution. The file is re-added every time mod_nss is updated. The mod_nss package needs to be changed, too. |
|
Sigh, did not notice that. |
https://src.fedoraproject.org/cgit/rpms/mod_nss.git/tree/mod_nss.spec#n158 |
HonzaCholasta
changed the title
|
Updated to use |
Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Disable the system trust module on install and upgrade to prevent the system trust store to be used in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132
|
IIRC on install all three existing db's get copied to .orig, or something like that right? So uninstall would move those back into place effectively disabling this? |
|
Yes. That is, once https://pagure.io/freeipa/issue/4639 is fixed. |
|
Just FYI I'm opening an upstream discussion with the NSS team on this. It is very strange that there is a conflict like this, particularly between master and replica. |
|
The conflict between master and replica exists because on the master, client install is executed last, but on (domain level 1+) replica it is executed first, so on the master |
|
It seems to work fine for "mod_nss" reinstalls but edit: actually, modutil shows the module got disabled during upgrade (even though IPA does not work), so I guess that should be fine since not-upgraded-but-with-this-patch IPA seems to work. |
stlaz
added
ack
|
I rebased your patchset on current master and put the uninstallation of |
|
master:
|
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:
IPA has its own trust store, which is effectively bypassed when the
system trust module is enabled in the database. This may cause IPA
unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
trusted by httpd.
On client install, the IPA trust configuration is copied to the system
trust store for third parties. When this configuration is removed, it may
cause loss of trust information in /etc/httpd/alias
(https://bugzilla.redhat.com/show_bug.cgi?id=1427897).
When a CA certificate provided by the user in CA-less install conflicts
with a CA certificate in the system trust store, the latter may be used
by httpd, leading to broken https
(https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).
Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.
https://pagure.io/freeipa/issue/6132