On Mon, Oct 18, 2021 at 12:49:35PM -0400, Rob Crittenden wrote: > Jeffrey van Pelt via FreeIPA-users wrote: > > Hi all, > > > > Currently I'm setting up a FreeIPA instance on EL8 with the > > crypto-policy set to FUTURE. > > > > When running the ipa-server-install program, it errors out when setting > > up the PKI infrastructure. > > > > Below is the command I ran: > > > > ``` > > ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg > > --setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U > > ``` > > > > As this command already shows, I already have some PKI override settings > > to ensure all created keys are 4096 bits long: > > > > ``` > > [CA] > > pki_ca_signing_key_size=4096 > > [DEFAULT] > > pki_admin_key_size=4096 > > pki_audit_signing_key_size=4096 > > pki_sslserver_key_size=4096 > > pki_subsystem_key_size=4096 > > ``` > > > > And even despite these settings, the command errors out giving me the > > message as below: > > > > ``` > > ..truncated.. > > [22/28]: enabling CA instance > > [23/28]: migrating certificate profiles to LDAP > > [24/28]: importing IPA certificate profiles > > [error] NetworkError: cannot connect to > > 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: > > EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) > > cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': > > [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) > > The ipa-server-install command failed. See /var/log/ipaserver-install.log > > for more information > > ``` > > > > So _some_ certificate _somewhere_ is not strong enough, but I can't find > > which one it is and how to ensure it's strengthened sufficiently. > > > > When I check the log file it shows basically the same message (except > > with a lot of Python stacktraces with 'NetworkError') > > > > When I revert the crypto-policy back to DEFAULT the command as shown > > above will succeed. > > > > Anyone have a clue? :) > > > > The RA agent certificate used by IPA is requested from certmonger > without specifying key size so it defaults to 2048 (hardcoded). > > I added a setting in upstream certmonger to be able to modify this > default but it is not released yet. > > On the IPA side, ipalib/install/certmonger.py::request_cert needs to be > able to take a key size argument and pass in KEY_SIZE in the certmonger > request. How that would tie into the rest of IPA is TBD as some default > would need to be set somewhere. > > What problem are you trying to solve using FUTURE policy? 4k keys are > going to be quite slow. > > rob >
Gotcha, is there any way I can add in that patch now? I need to build an infrastructure based on EL8 which must be CIS-compliant. In the most recent version of the requirements they state the following: - 1.10 Ensure system-wide crypto policy is not legacy (Scored) - 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored) We opted for FUTURE in our environment, but enabling this breaks the setup :-) (full document: https://paper.bobylive.com/Security/CIS/CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1_0_0.pdf) Cheers, Jeff
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
