Jeffrey van Pelt wrote: > > On Mon, Oct 18, 2021 at 12:49:35PM -0400, Rob Crittenden wrote: >> Jeffrey van Pelt via FreeIPA-users wrote: >>> Hi all, >>> >>> Currently I'm setting up a FreeIPA instance on EL8 with the >>> crypto-policy set to FUTURE. >>> >>> When running the ipa-server-install program, it errors out when setting >>> up the PKI infrastructure. >>> >>> Below is the command I ran: >>> >>> ``` >>> ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg >>> --setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U >>> ``` >>> >>> As this command already shows, I already have some PKI override settings >>> to ensure all created keys are 4096 bits long: >>> >>> ``` >>> [CA] >>> pki_ca_signing_key_size=4096 >>> [DEFAULT] >>> pki_admin_key_size=4096 >>> pki_audit_signing_key_size=4096 >>> pki_sslserver_key_size=4096 >>> pki_subsystem_key_size=4096 >>> ``` >>> >>> And even despite these settings, the command errors out giving me the >>> message as below: >>> >>> ``` >>> ..truncated.. >>> [22/28]: enabling CA instance >>> [23/28]: migrating certificate profiles to LDAP >>> [24/28]: importing IPA certificate profiles >>> [error] NetworkError: cannot connect to >>> 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: >>> EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) >>> cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': >>> [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) >>> The ipa-server-install command failed. See /var/log/ipaserver-install.log >>> for more information >>> ``` >>> >>> So _some_ certificate _somewhere_ is not strong enough, but I can't find >>> which one it is and how to ensure it's strengthened sufficiently. >>> >>> When I check the log file it shows basically the same message (except >>> with a lot of Python stacktraces with 'NetworkError') >>> >>> When I revert the crypto-policy back to DEFAULT the command as shown >>> above will succeed. >>> >>> Anyone have a clue? :) >>> >> >> The RA agent certificate used by IPA is requested from certmonger >> without specifying key size so it defaults to 2048 (hardcoded). >> >> I added a setting in upstream certmonger to be able to modify this >> default but it is not released yet. >> >> On the IPA side, ipalib/install/certmonger.py::request_cert needs to be >> able to take a key size argument and pass in KEY_SIZE in the certmonger >> request. How that would tie into the rest of IPA is TBD as some default >> would need to be set somewhere. >> >> What problem are you trying to solve using FUTURE policy? 4k keys are >> going to be quite slow. >> >> rob >> > > Gotcha, is there any way I can add in that patch now? > > I need to build an infrastructure based on EL8 which must be > CIS-compliant. In the most recent version of the requirements they state > the following: > > - 1.10 Ensure system-wide crypto policy is not legacy (Scored) > - 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored) > > We opted for FUTURE in our environment, but enabling this breaks the > setup :-) > > (full document: > https://paper.bobylive.com/Security/CIS/CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1_0_0.pdf)
I'd suggest using FIPS for a more supported installation. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
