On Tue, Oct 19, 2021 at 09:20:17AM -0400, Rob Crittenden wrote: > Jeffrey van Pelt wrote: > > > > On Mon, Oct 18, 2021 at 12:49:35PM -0400, Rob Crittenden wrote: > >> Jeffrey van Pelt via FreeIPA-users wrote: > >>> Hi all, > >>> > >>> Currently I'm setting up a FreeIPA instance on EL8 with the > >>> crypto-policy set to FUTURE. > >>> > >>> When running the ipa-server-install program, it errors out when setting > >>> up the PKI infrastructure. > >>> > >>> Below is the command I ran: > >>> > >>> ``` > >>> ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg > >>> --setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U > >>> ``` > >>> > >>> As this command already shows, I already have some PKI override settings > >>> to ensure all created keys are 4096 bits long: > >>> > >>> ``` > >>> [CA] > >>> pki_ca_signing_key_size=4096 > >>> [DEFAULT] > >>> pki_admin_key_size=4096 > >>> pki_audit_signing_key_size=4096 > >>> pki_sslserver_key_size=4096 > >>> pki_subsystem_key_size=4096 > >>> ``` > >>> > >>> And even despite these settings, the command errors out giving me the > >>> message as below: > >>> > >>> ``` > >>> ..truncated.. > >>> [22/28]: enabling CA instance > >>> [23/28]: migrating certificate profiles to LDAP > >>> [24/28]: importing IPA certificate profiles > >>> [error] NetworkError: cannot connect to > >>> 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: > >>> EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) > >>> cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': > >>> [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) > >>> The ipa-server-install command failed. See /var/log/ipaserver-install.log > >>> for more information > >>> ``` > >>> > >>> So _some_ certificate _somewhere_ is not strong enough, but I can't find > >>> which one it is and how to ensure it's strengthened sufficiently. > >>> > >>> When I check the log file it shows basically the same message (except > >>> with a lot of Python stacktraces with 'NetworkError') > >>> > >>> When I revert the crypto-policy back to DEFAULT the command as shown > >>> above will succeed. > >>> > >>> Anyone have a clue? :) > >>> > >> > >> The RA agent certificate used by IPA is requested from certmonger > >> without specifying key size so it defaults to 2048 (hardcoded). > >> > >> I added a setting in upstream certmonger to be able to modify this > >> default but it is not released yet. > >> > >> On the IPA side, ipalib/install/certmonger.py::request_cert needs to be > >> able to take a key size argument and pass in KEY_SIZE in the certmonger > >> request. How that would tie into the rest of IPA is TBD as some default > >> would need to be set somewhere. > >> > >> What problem are you trying to solve using FUTURE policy? 4k keys are > >> going to be quite slow. > >> > >> rob > >> > > > > Gotcha, is there any way I can add in that patch now? > > > > I need to build an infrastructure based on EL8 which must be > > CIS-compliant. In the most recent version of the requirements they state > > the following: > > > > - 1.10 Ensure system-wide crypto policy is not legacy (Scored) > > - 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored) > > > > We opted for FUTURE in our environment, but enabling this breaks the > > setup :-) > > > > (full document: > > https://paper.bobylive.com/Security/CIS/CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1_0_0.pdf) > > I'd suggest using FIPS for a more supported installation. > > rob > Hi Rob,
Thanks! Will do -- Cheers, Jeff
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
