On 11/05/2015 02:39 PM, Marat Vyshegorodtsev wrote: > Hi! > > I've been fighting for the past week with FreeIPA and trying to make > it work with my own CA certificate that is ECDSA_SHA256. > > Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work > (basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut. > > The command I used is: > > ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm > MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE' > --admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended > --no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file > /etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT' > --ca-cert-file /etc/ipa/myownca.pem > > In this case, installation fails at the following step: > Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' > 'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' > '/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap' > 'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit > status 1 > > In /var/log/ipaserver-install.log I see a message: > DEBUG stderr=ldap_start_tls: Protocol error (2) > additional info: SSL not supported by this server. > > Basically, LDAP is broken now (it doesn't allow connecting without -ZZ > flag, and fails with it, since TLS is misconfigured at this point). > > What actually happens, LDAP gets configured to use RSA as a key > exchange algorithm, and fails, since the cert is an ECC cert. > > In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see: > [05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server > key/certificate is bad for cert FreeIPA of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200 > - The certificate provided cannot be used with the selected key > exchange algorithm.) > > This is configured by ipaserver/install/dsinstance.py under def __enable_ssl: > > entry = conn.make_entry( > DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), > objectclass=["top", "nsEncryptionModule"], > cn=["RSA"], > nsSSLPersonalitySSL=[self.nickname], > nsSSLToken=["internal (software)"], > nsSSLActivation=["on"], > ) > conn.add_entry(entry) > > My question is, is it possible to replace RSA with ECDSA here? If so, > what parameters should I pass to LDAP?
Honza or Ludwig, do you know? This is certainly an uncharted territory, you are the first person I know about trying to install FreeIPA CA-less with ECC certificate. There is a ticket to get ECC support in PKI (i.e. not CA-less), but it was not completed yet: https://fedorahosted.org/freeipa/ticket/3951 > > If this is fixable, can someone add autodetect of the type of the > certificate and enable appropriate algorithms in LDAP and Apache? > > Best regards, > Marat Vyshegorodtsev > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project