Jeffrey van Pelt via FreeIPA-users wrote: > Hi all, > > Currently I'm setting up a FreeIPA instance on EL8 with the > crypto-policy set to FUTURE. > > When running the ipa-server-install program, it errors out when setting > up the PKI infrastructure. > > Below is the command I ran: > > ``` > ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg > --setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U > ``` > > As this command already shows, I already have some PKI override settings > to ensure all created keys are 4096 bits long: > > ``` > [CA] > pki_ca_signing_key_size=4096 > [DEFAULT] > pki_admin_key_size=4096 > pki_audit_signing_key_size=4096 > pki_sslserver_key_size=4096 > pki_subsystem_key_size=4096 > ``` > > And even despite these settings, the command errors out giving me the > message as below: > > ``` > ..truncated.. > [22/28]: enabling CA instance > [23/28]: migrating certificate profiles to LDAP > [24/28]: importing IPA certificate profiles > [error] NetworkError: cannot connect to > 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: > EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) > cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': > [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) > The ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > ``` > > So _some_ certificate _somewhere_ is not strong enough, but I can't find > which one it is and how to ensure it's strengthened sufficiently. > > When I check the log file it shows basically the same message (except > with a lot of Python stacktraces with 'NetworkError') > > When I revert the crypto-policy back to DEFAULT the command as shown > above will succeed. > > Anyone have a clue? :) >
The RA agent certificate used by IPA is requested from certmonger without specifying key size so it defaults to 2048 (hardcoded). I added a setting in upstream certmonger to be able to modify this default but it is not released yet. On the IPA side, ipalib/install/certmonger.py::request_cert needs to be able to take a key size argument and pass in KEY_SIZE in the certmonger request. How that would tie into the rest of IPA is TBD as some default would need to be set somewhere. What problem are you trying to solve using FUTURE policy? 4k keys are going to be quite slow. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
