[Freeipa-users] Peer certificate cannot be authenticated with given CA certificates

Petr Benas via FreeIPA-users Fri, 04 Jan 2019 04:44:30 -0800

Hello,

we have an issue with resubmitting several certificates.


We suspect the reason might be the encoding mismatch between the certificate 
and the CA certificate.

Our environment was upgraded during the years from some 3.x version to current 
4.5.4. So the very first CA certificate was encoded in PRINTABLESTRING.

   Issuer:
           organizationName          = PRINTABLESTRING:EXAMPLE.COM
           commonName                = PRINTABLESTRING:Certificate Authority
   Validity
           Not Before: Dec  1 14:14:37 2014 GMT
           Not After : Dec  1 14:14:37 2034 GMT
   Subject:
           organizationName          = PRINTABLESTRING:EXAMPLE.COM
           commonName                = PRINTABLESTRING:Certificate Authority

When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and after 
we renewed again, so now we have:

Issuer:
    organizationName          = UTF8STRING:EXAMPLE.COM
    commonName                = UTF8STRING:Certificate Authority
Validity
    Not Before: Oct  9 07:34:24 2017 GMT
    Not After : Oct  9 07:34:24 2037 GMT
Subject:
    organizationName          = UTF8STRING:EXAMPLE.COM
    commonName                = UTF8STRING:Certificate Authority

And most certificated were renewed fine.

However, recently we noticed that several certificated can't be resubmitted, 
all of them seem to be like this:

        Issuer:
            organizationName          = PRINTABLESTRING:EXAMPLE.COM
            commonName                = PRINTABLESTRING:Certificate Authority
        Validity
            Not Before: Nov 24 12:17:12 2016 GMT
            Not After : Nov 14 12:17:12 2018 GMT
        Subject:
            organizationName          = UTF8STRING:EXAMPLE.COM
            commonName                = UTF8STRING:ipa07.example.com

The error when resubmitting is:
Peer certificate cannot be authenticated with given CA certificates. The 
tcpdump from 8443 says Unknown CA.

Is the assumption that the encoding mismatch is blocking the submitting 
certificate correct?
One of the certificate which we also can't renew is the 'IPA RA' 
(/var/lib/ipa/ra-agent.pem)

What we tried:
        Add all versions of CA certificate to /etc/pki/pki-tomcat/alias trust 
store (also add them one-by-one)
        Setting date back before the expiration.
        Advises from: 
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/
        Deleting the related CSR from o=ipaca, supposing that newly generated 
csr will be fine.

Any suggestions what else we could try? 

Thanks
Petr
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[Freeipa-users] Peer certificate cannot be authenticated with given CA certificates

Reply via email to