On Mon, Oct 18, 2021 at 12:49:35PM -0400, Rob Crittenden wrote:

Jeffrey van Pelt via FreeIPA-users wrote:

...

Hi all,

Currently I'm setting up a FreeIPA instance on EL8 with the crypto-policy set to FUTURE.

When running the ipa-server-install program, it errors out when setting up the PKI infrastructure.

Below is the command I ran:

ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg
--setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U 

As this command already shows, I already have some PKI override settings to ensure all created keys are 4096 bits long:

[CA]
pki_ca_signing_key_size=4096
[DEFAULT]
pki_admin_key_size=4096
pki_audit_signing_key_size=4096
pki_sslserver_key_size=4096
pki_subsystem_key_size=4096

And even despite these settings, the command errors out giving me the message as below:

..truncated..
  [22/28]: enabling CA instance
  [23/28]: migrating certificate profiles to LDAP
  [24/28]: importing IPA certificate profiles
  [error] NetworkError: cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

So _some_ certificate _somewhere_ is not strong enough, but I can't find which one it is and how to ensure it's strengthened sufficiently.

When I check the log file it shows basically the same message (except with a lot of Python stacktraces with 'NetworkError')

When I revert the crypto-policy back to DEFAULT the command as shown above will succeed.

Anyone have a clue? :)

The RA agent certificate used by IPA is requested from certmonger without specifying key size so it defaults to 2048 (hardcoded).

I added a setting in upstream certmonger to be able to modify this default but it is not released yet.

On the IPA side, ipalib/install/certmonger.py::request_cert needs to be able to take a key size argument and pass in KEY_SIZE in the certmonger request. How that would tie into the rest of IPA is TBD as some default would need to be set somewhere.

What problem are you trying to solve using FUTURE policy? 4k keys are going to be quite slow.

rob

Gotcha, is there any way I can add in that patch now?

I need to build an infrastructure based on EL8 which must be CIS-compliant. In the most recent version of the requirements they state the following:

- 1.10 Ensure system-wide crypto policy is not legacy (Scored) - 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored)

We opted for FUTURE in our environment, but enabling this breaks the setup :-)

(full document: https://paper.bobylive.com/Security/CIS/CIS_Red_Hat_Enterprise_Linux_8_Bench...)

Cheers,

Jeff

On Tue, Oct 19, 2021 at 09:20:17AM -0400, Rob Crittenden wrote:

Jeffrey van Pelt wrote:

...

On Mon, Oct 18, 2021 at 12:49:35PM -0400, Rob Crittenden wrote:

...

Jeffrey van Pelt via FreeIPA-users wrote:

...

Hi all,

Currently I'm setting up a FreeIPA instance on EL8 with the crypto-policy set to FUTURE.

When running the ipa-server-install program, it errors out when setting up the PKI infrastructure.

Below is the command I ran:

ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg
--setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U 

As this command already shows, I already have some PKI override settings to ensure all created keys are 4096 bits long:

[CA]
pki_ca_signing_key_size=4096
[DEFAULT]
pki_admin_key_size=4096
pki_audit_signing_key_size=4096
pki_sslserver_key_size=4096
pki_subsystem_key_size=4096

And even despite these settings, the command errors out giving me the message as below:

..truncated..
  [22/28]: enabling CA instance
  [23/28]: migrating certificate profiles to LDAP
  [24/28]: importing IPA certificate profiles
  [error] NetworkError: cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

So _some_ certificate _somewhere_ is not strong enough, but I can't find which one it is and how to ensure it's strengthened sufficiently.

When I check the log file it shows basically the same message (except with a lot of Python stacktraces with 'NetworkError')

When I revert the crypto-policy back to DEFAULT the command as shown above will succeed.

Anyone have a clue? :)

The RA agent certificate used by IPA is requested from certmonger without specifying key size so it defaults to 2048 (hardcoded).

I added a setting in upstream certmonger to be able to modify this default but it is not released yet.

On the IPA side, ipalib/install/certmonger.py::request_cert needs to be able to take a key size argument and pass in KEY_SIZE in the certmonger request. How that would tie into the rest of IPA is TBD as some default would need to be set somewhere.

What problem are you trying to solve using FUTURE policy? 4k keys are going to be quite slow.

rob

Gotcha, is there any way I can add in that patch now?

I need to build an infrastructure based on EL8 which must be CIS-compliant. In the most recent version of the requirements they state the following:

• 1.10 Ensure system-wide crypto policy is not legacy (Scored)
• 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored)

We opted for FUTURE in our environment, but enabling this breaks the setup :-)

(full document: https://paper.bobylive.com/Security/CIS/CIS_Red_Hat_Enterprise_Linux_8_Bench...)

I'd suggest using FIPS for a more supported installation.

rob

Hi Rob,

Thanks! Will do