On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote:
One more questions,
In this thread
(https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/)
you mentioned that
subsystemCert cert-pki-ca would map to pkidbuser.
So the process is that dog-tag uses cert-pki-ca to establish a
connection to 389 DS , and 389 DS would use pkidbuser to bind and do
LDAP queries and other thing. ?
Yes, that's right. The connection between dogtag and 389-ds is using
SASL External authentication, meaning that dogtag provides a certificate
and 389-ds maps this certificate to a DN.
You can find more information in "Using certificate-based client
authentication" [1] in 389-ds doc.
[1]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/using-based_client_authentication
Thanks for your help.
On Thu, Jun 18, 2020 at 4:26 PM luckydog xf <[email protected]
<mailto:[email protected]>> wrote:
Got it, thanks!
I add CA certs of Sectigo one by one to /etc/pki/pki-tomcat/alias/,
now it works.
Another thing, please confirm my statement below correct or not
-------
I changed Server-Cert to Sectigo's signed one (NOT Self-signed), so
when dog-tag tries to connect to 389 DS, it would check 389 DS
certificate (Server-Cert), meanwhile it also needs a CA to verify
server-Cert.
My problem is that when dog-tat check its NSSDB(
/etc/pki/pki-tomcat/alias/ ), there is no CA of Sectigo available
to verify. So it complains:
*/Peer's certificate issuer has been marked as not trusted by the
user./*
------
Does my understanding correct or not ?
Yes, that's right. The client (dogtag) needs to trust the server cert
(389-ds cert). As the server cert is issued by sectigo, adding the
sectigo CA certs in /etc/pki/pki-tomcat/alias with the right flags fixes
the trust problem.
flo
Appreciate your help.
On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud
<[email protected] <mailto:[email protected]>> wrote:
On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote:
> [root@wocfreeipa ~]# export
LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias
>
> [root@wocfreeipa ~]#
>
> [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert
cert-pki-ca'
>
> [root@wocfreeipa ~]# grep internal
/etc/pki/pki-tomcat/password.conf
> internal=3Tm~ofzwXXXXXXXXXXXX
>
> [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b
"" -s base
> -Y EXTERNAL
> Please enter pin, password, or pass phrase for security token
'ldap(0)':
>
> SASL/EXTERNAL authentication started
> SASL username: cn=CA Subsystem,o=SAP.WINGON.HK
<http://SAP.WINGON.HK> <http://SAP.WINGON.HK>
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> #
> dn:
> objectClass: top
> namingContexts: cn=changelog
> namingContexts: dc=sap,dc=wingon,dc=hk
> namingContexts: o=ipaca
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> 。。。。。。
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> It seems the connection established by Dogtag to 389 DS is
correct.
> But why dogtag complained "
>
> */Peer's certificate issuer has been marked as not trusted by
the user./*
> ?
> Weird.
Hi,
Dogtag has its own NSSDB and each of the sectigo CA certs need
to be
present there, too:
$ certutil -A -d /etc/pki/pki-tomcat/alias -n <nick> -t CT,C,C
-a -i
cert.pem
HTH,
flo
>
> On Thu, Jun 18, 2020 at 9:31 AM luckydog xf
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>
wrote:
>
> The sad thing is that CA is expired on May 30, 2020. My
IPA cannot
> login in.
>
> So I used certutil to remove old CAs. Here are steps I used.
> Unfortunately, I didn't try the step you mentioned.
>
> 1. certutil -d /etc/http/alias -D -n Server-Cert
> certutil -d /etc/http/alias -D -n < Other CAs of
Comodo>
>
> 2. Do the same thing against /etc/dirsrv/slapd-xxx
>
> 3. Add new certs and CAs by:
>
> cat server.key server.crt > server.all
>
> openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in
server.all
> -out Server-Cert.p12 -name "Server-Cert"
>
> pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n
Server-Cert
>
> 4. iptacl restart -f -d shows pki-tomcatd cannot start.
> ---------
> Internal Database Error encountered:_Could not connect to
LDAP
> server host wocfreeipa.sap.wingon.hk
<http://wocfreeipa.sap.wingon.hk>
> <http://wocfreeipa.sap.wingon.hk> port 636 _Error
> netscape.ldap.LDAPException: Unable to create socket:
> org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake failed:
> (-8172) */Peer's certificate issuer has been marked as
not trusted
> by the user./* (-1)
>
> So what's wrong ?
>
>
> -------------
>
>
>
> On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud
> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
>
> On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote:
> > Hi, As state in
>
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
> >
> > I cannot login in FreeIPA web page.
> >
> > So I update CA by :
> >
> > # delete everything except IPA CA of httpd and dirsrv
> >
> > certutil -d /etc/http/alias -D -n 'xxx'
> >
> > # ca-bundle.crt is 3 files named USERTrust, .etc.
> >
> > # server.all is an combination of my certificate
signed by
> Sectigo( fomerly named Comodo).
> >
> > openssl pkcs12 -export -chain -CAfile
ca-bundle.crt -in
> server.all -out Server-Cert.p12 -name "Server-Cert"
> >
> > # add to httpd and dirsrv.
> >
> > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/
-n Server-Cert
> >
> > I restart all services by ipactl restart. But it seems
> pki-tomcat fails to startup.
> >
> > #### log of ipactcl start ####
> >
> > Starting pki-tomcatd Service
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args=/bin/systemctl start
pki-tomcatd.target
> > ipa: DEBUG: Process finished, return code=0
> > ipa: DEBUG: request POST
> http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus
> > ipa: DEBUG: request body ''
> > ipa: DEBUG: response status 500
> > ipa: DEBUG: response headers Server: Apache-Coyote/1.1
> > Content-Type: text/html;charset=utf-8
> > Content-Language: en
> > Content-Length: 2208
> > Date: Wed, 17 Jun 2020 09:13:19 GMT
> > Connection: close
> >
> > ipa: DEBUG: response body '<html><head><title>Apache
> Tomcat/7.0.76 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-s
> > ......
> >
> > ipa: DEBUG: Failed to check CA status: Retrieving
CA status
> failed with status 500
> > ipa: DEBUG: Waiting until the CA is running
> >
> > #### END of log #####
> >
> >
> > Here is log of pki-tomcat
> >
> > ###
> > Internal Database Error encountered: Could not
connect to
> LDAP server host wocfreeipa.sap.wingon.hk
<http://wocfreeipa.sap.wingon.hk>
> <http://wocfreeipa.sap.wingon.hk> port 636 Error
> netscape.ldap.LDAPException: Unable to create socket:
> org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException:
SSL_ForceHandshake
> failed: (-8172) Peer's certificate issuer has been
marked as not
> trusted by the user. (-1)
> >
> > ###
> >
> > The point is ' Peer's certificate issuer has been
marked as
> not trusted by the user.' As far as I know
pki-tomcat needs a
> certificate to bind to 389 DS and store information.
> >
> > But I didn't touch CA named 'IPA CA', so basically
> pki-tomcatd could use its own certificate named
'substemCert
> cert-pki-ca' to bind to 389 DS.
> >
> > Please help.
> Hi,
>
> the new CA certs from Sectigo need to be installed with
> ipa-cacert-manage install (the command uploads the
certs in the
> LDAP
> database). For more information, please refer to
"Installing a CA
> Certificate Manually" [1].
> As the chain contains multiple certs, you need to
start from the
> root
> cert then go down the chain. When all the certs have
been added,
> don't
> forget to run ipa-certupdate on all the IPA hosts
(the command
> downloads
> the certs from LDAP and puts them in all the NSSDBs
that need them).
>
> HTH,
> flo
>
> [1]
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/manual-cert-install
>
> >
> > Thanks a lot.
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > To unsubscribe send an email to
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/[email protected]
> >
>
>
> _______________________________________________
> FreeIPA-users mailing list --
[email protected]
<mailto:[email protected]>
> To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
