Hi Rob,

On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote:
Harald Dunkel via FreeIPA-users wrote:

Here is what I see on the broken ipa server:


[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  ,,


The CN=example Root CA,... certificate is unwanted. It did not expire,
but it uses an invalid format for its expiration date. I ran ipa-cacert-manage
to replace it with the CN=root-CA,... certificate a few months ago.


The certificate database on another ipa server (not broken yet, as it
seems) looks different:


[root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
subsystemCert cert-pki-ca                                    u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u


I would highly appreciate any advice how to cleanup this mess.

How comes that the unwanted "example Root CA" is still in the databases at
all? Due to the broken format I have to get rid of it asap.

What is broken about the cert? I can only assume you installed your IPA
server by having an external CA sign it. It would appear that this
external CA, in your case CN=root-ca, isn't trusted hence the server
won't start.

The first ipa server was setup using an existing private PKI, managed
outside of freeipa. The root ca cert had a problem I noticed too late:
It uses an invalid format for the notAfter attribute. openssl is fine
with this format, but libressl on OpenBSD (and probably MacOS) rejects
it. See this thread for more information:

        https://marc.info/?l=libressl&m=148939571912276&w=2

Point is, I had to create a new private PKI with a valid notAfter
attribute format, and to tell freeipa. I had used ipa-cacert-manage
to fix, following the guidelines on 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext

        ipa-cacert-manage renew --external-ca
        :
        ipa-cacert-manage renew --external-cert-file=/tmp/cert.pem 
--external-cert-file=/tmp/cacert.pem
        ipa-certupdate
        :
        getcert list
        getcert list | egrep Request\|CA\|issuer\|subject\|expires
        :
        ipa-getcert resubmit -i $request_id
        :

So how comes that the new root certificate is not trusted?


To fix this you could run:

# certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n
"CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE" -t C,,


Done. ipa1 starts again. But this is not sufficient. If I run
ipa-certupdate, then the database is set back to the bad state.
/etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt are still bad, too.

???


Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to