James Roman wrote:
James Roman wrote:
Rob Crittenden wrote:
James Roman wrote:
Rob Crittenden wrote:
James Roman wrote:
First off, thanks Rob for the direction on creating a certificate. After reading up on Mozilla's NSS, I think I've got a pretty fair grounding.


So I successfully generated a CSR and had it signed. I imported my certificate and CA chain into the NSS database and exported it to a PKCS12 cert. I am primarily concerned with using the public cert on the HTTP interface. However, when I go to import it using ipa-server-certificate, it chokes on the names in the CA certificate chain. (One of the certs uses full website address for the name.) I can manually import each of the certificates in the CA chain using certutil on the /etc/httpd/alias directory.

What do you mean by choke? Do you have a python backtrace or can you send me the ipaserver-install.log?
Here is what I get when importing the p12 file using "ipa-server-certinstall". The reasons for the errors are fairly self-evident when you see how it parses the command line arguments.

# ipa-server-certinstall -w /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx --http_pin='mysecretpin' an unexpected error occurred: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned non-zero exit status 255
Traceback (most recent call last):
 File "/usr/sbin/ipa-server-certinstall", line 137, in main
server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
 File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
   cdb.trust_root_cert(server_cert[0])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, in trust_root_cert
   "-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil
   return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))
CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned non-zero exit status 255

I'm left with most of the certificate chain

Ok, we shouldn't need to mess with builtin CAs at all.

Can you file a bug on this?

In the meantime, this patch should fix things for you:

diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index 8cb1d08..610ca1d 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -318,8 +318,9 @@ class CertDB(object):
     def trust_root_cert(self, nickname):
         root_nickname = self.find_root_cert(nickname)

-        self.run_certutil(["-M", "-n", root_nickname,
-                           "-t", "CT,CT,"])
+ if root_nickname is not None and root_nickname[:7] != "Builtin":
+            self.run_certutil(["-M", "-n", root_nickname,
+                               "-t", "CT,CT,"])

     def find_server_certs(self):
         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,

If you are careful you should be able to modify, as root, the IPA python source. You'll find it in /usr/lib/python2.5/site-packages/ipaserver/certs.py

Indentation matters in python so be sure to apply this exactly.

rob
Well it worked partly. I was able to successfully import the certificate for the webserver. It did not set the trust attributes on the CA certificates (perhaps that was the point). If I run the command to import the certificate for the directory server, it fails on a different part of the CA chain now.

# ipa-server-certinstall -d /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx --dirsrv_pin='mysecretpin'
Directory Manager password:
an unexpected error occurred: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255
Traceback (most recent call last):
 File "/usr/sbin/ipa-server-certinstall", line 132, in main
server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
 File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
   cdb.trust_root_cert(server_cert[0])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325, in trust_root_cert
   "-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil
   return ipautil.run(new_args, stdin)
 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))
CalledProcessError: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Looking into this a bit closer, my best guess is that the problem really exists in the find_root_cert routine. If I manually run certutil -O on my server certificate, I get:

"valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network]

"Go Daddy Class 2 Certification Authority" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US]

"Go Daddy Secure Certification Authority" [serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US]

"servername server-cert" [CN=servername.realm.com,OU=Domain Control Validated,O=servername.realm.com]

It looks like it is choking on the quotes around the organization name. Does this routine really need to return the part between the square brackets? From what i've seen thus far, it does not look like the Distinguished Name is required for certificate management. Can the string just be chopped off after the friendly name?

I think you're onto something there. Python's re module doesn't count quotes so it looks like it is taking everything between the first quote and the last one. If I'm reading the backtrace properly, for example, it looks like it is dropping the C=US which is outside the last set of quotes.

I think that adding in a more precise match will fix in. In some quickie unit tests this seems to work:

--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -311,15 +311,16 @@ class CertDB(object):
         chain = p.stdout.read()
         chain = chain.split("\n")

-        root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0]
+        root_nickname = re.match('\ *"(.*) \[".*', chain[0]).groups()[0]

Can you give this a try?

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to