On 12/07/2017 09:17 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Rob,

On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote:
Harald Dunkel via FreeIPA-users wrote:

Here is what I see on the broken ipa server:


[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  ,,


The CN=example Root CA,... certificate is unwanted. It did not expire,
but it uses an invalid format for its expiration date. I ran ipa-cacert-manage
to replace it with the CN=root-CA,... certificate a few months ago.


The certificate database on another ipa server (not broken yet, as it
seems) looks different:


[root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
subsystemCert cert-pki-ca                                    u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u


I would highly appreciate any advice how to cleanup this mess.

How comes that the unwanted "example Root CA" is still in the databases at
all? Due to the broken format I have to get rid of it asap.

What is broken about the cert? I can only assume you installed your IPA
server by having an external CA sign it. It would appear that this
external CA, in your case CN=root-ca, isn't trusted hence the server
won't start.

The first ipa server was setup using an existing private PKI, managed
outside of freeipa. The root ca cert had a problem I noticed too late:
It uses an invalid format for the notAfter attribute. openssl is fine
with this format, but libressl on OpenBSD (and probably MacOS) rejects
it. See this thread for more information:

     https://marc.info/?l=libressl&m=148939571912276&w=2

Point is, I had to create a new private PKI with a valid notAfter
attribute format, and to tell freeipa. I had used ipa-cacert-manage
to fix, following the guidelines on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext

     ipa-cacert-manage renew --external-ca
     :
    ipa-cacert-manage renew --external-cert-file=/tmp/cert.pem --external-cert-file=/tmp/cacert.pem
     ipa-certupdate
     :
     getcert list
     getcert list | egrep Request\|CA\|issuer\|subject\|expires
     :
     ipa-getcert resubmit -i $request_id
     :

So how comes that the new root certificate is not trusted?


Hi,

if you run:

ipa-cacert-manage install -t C,, <rootcert>
ipa-certupdate

then the new root certificate will be installed in all the required NSS databases. Do not forget to run ipa-certupdate on all the FreeIPA machines.

HTH,
Flo.


To fix this you could run:

# certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n
"CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE" -t C,,


Done. ipa1 starts again. But this is not sufficient. If I run
ipa-certupdate, then the database is set back to the bad state.
/etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt are still bad, too.

???


Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to