Comments

59 Comments

The update solves the issue with Bind9 named and OpenSSL PKCS#11 engine in FIPS mode (tested on F31, F32 uses the same patch and version of libp11).

BZ#1827535 PKCS11 engine does not work in FIPS mode: RSA_new_method:non FIPS rsa method

The update solves the issue with Bind9 named and OpenSSL PKCS#11 engine in FIPS mode.

BZ#1827535 PKCS11 engine does not work in FIPS mode: RSA_new_method:non FIPS rsa method
karma

The new release fixes the AVC that breaks FreeIPA's DNSSEC support.

The remaining issues have to be fixed in IPA.

BZ#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd

It's the secret. Alexander is working on a PR to address the issue, https://github.com/freeipa/freeipa/pull/4337

I confirm that the update fixes the email quoting issue in FreeIPA.

BZ#1731100 Label escaping bug for special characters breaks ipa dnszone-show

I confirm that the update fixes the email quoting issue in FreeIPA.

BZ#1731100 Label escaping bug for special characters breaks ipa dnszone-show
BZ#1775146 POST request with TLS 1.3 PHA client auth fails: Re-negotiation handshake failed: Client certificate missing
karma

FreeIPA PR https://github.com/freeipa/freeipa/pull/3911with TLS 1.3 enabled is now passing basic tests. TLS 1.3 post-handshake client cert auth of POST requests is working as expected.

Thanks for the quick fix!

BZ#1775146 POST request with TLS 1.3 PHA client auth fails: Re-negotiation handshake failed: Client certificate missing
karma

New build works for me

karma

New build works for me

Works for me

The problem has been fixed by python-request 2.22 package. The Fedora distgit has been updated but the update was never build and pushed to stable. F30 is still stuck on python3-requests-2.21.0-2.fc30.

F31 is fine, though.

karma

Update works for me on latest F31

BZ#1759290 Web UI login always fails ("preexec_fn not supported within subinterpreters")

ipa-server-install is failing with the latest build. httpd is unable to load the cert generated by FreeIPA.

log

  [18/21]: enable KDC proxy
  [19/21]: starting httpd
  [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root@host-10-0-137-103 ~]# 
[root@host-10-0-137-103 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/httpd.service.d
           └─ipa.conf
   Active: failed (Result: exit-code) since Fri 2019-09-20 11:43:20 EDT; 18s ago
     Docs: man:httpd.service(8)
  Process: 23686 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
  Process: 23688 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 23688 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."
      CPU: 371ms

Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: Starting The Apache HTTP Server...
Sep 20 11:43:20 host-10-0-137-103.ipa.example ipa-httpd-kdcproxy[23686]: ipa: INFO: KDC proxy enabled
Sep 20 11:43:20 host-10-0-137-103.ipa.example ipa-httpd-kdcproxy[23686]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled
Sep 20 11:43:20 host-10-0-137-103.ipa.example httpd[23688]: AH00526: Syntax error on line 102 of /etc/httpd/conf.d/ssl.conf:
Sep 20 11:43:20 host-10-0-137-103.ipa.example httpd[23688]: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty
Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: httpd.service: Failed with result 'exit-code'.
Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: Failed to start The Apache HTTP Server.

cert

# ls -laZ /var/lib/ipa/certs/
total 12
drwxr-xr-x.  2 root root system_u:object_r:ipa_var_lib_t:s0 4096 Sep 20 11:43 .
drwxr-xr-x. 10 root root system_u:object_r:ipa_var_lib_t:s0 4096 Sep 20 11:42 ..
-rw-------.  1 root root system_u:object_r:ipa_var_lib_t:s0 1911 Sep 20 11:43 httpd.crt

AVC

time->Fri Sep 20 11:43:20 2019
type=AVC msg=audit(1568994200.979:751): avc:  denied  { getattr } for  pid=23688 comm="httpd" path="/var/lib/ipa/certs/httpd.crt" dev="vda1" ino=1577788 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=0

versions

# rpm -qa httpd selinux-policy
httpd-2.4.41-1.fc31.x86_64
selinux-policy-3.14.4-34.fc31.noarch
BZ#1706295 Fedora 29 firefox-65.0.1-1 All extensions disabled due to expiration of intermediate signing cert (Upstream bug)

The update broke one of FreeIPA's tests for automember rules, https://pagure.io/freeipa/issue/7902

IPA's test suite is passing with 1.4.0.21.

Two automember tests were failing, probably caused by a known and requested change to the automember plugin, https://pagure.io/freeipa/issue/7855 .

IPA's test suite is passing with 1.4.0.21.

Two automember tests were failing, probably caused by a known and requested change to the automember plugin, https://pagure.io/freeipa/issue/7855 .