James Masson wrote:
On 12/11/15 15:21, Rob Crittenden wrote:
James Masson wrote:
On 30/10/15 13:52, Rob Crittenden wrote:
James Masson wrote:
On 26/10/15 16:11, Martin Kosek wrote:
On 10/26/2015 04:05 PM, James Masson wrote:
On 19/10/15 21:06, Rob Crittenden wrote:
James Masson wrote:
Hi list,
I successfully have IPA working with CA certs signed by an
upstream
Dogtag.
Now I'm trying to use a CA cert signed by a different type of CA -
Vault.
Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.
Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.
I'm guessing you don't include the entire CA certchain of Vault.
Dogtag
is failing to startup because it can't verify its own cert chain:
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence: CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at
startup
FAILED!
rob
Hi Rob,
Thanks for the reply.
I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.
OpenSSL is happy with it too.
#####
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###
Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.
thanks
James M
Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as
appropriate.
Any thoughts guys?
I cc'd one of the dogtag guys to see if he knows.
You might also try using certutil to validate the certificates, it
might
give you some hints to what is going on.
I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias
certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going
on.
The -u flag specfies usage. See the certutil man page for a full set of
options.
For example:
# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert
cert-pki-ca'
certutil: certificate is valid
rob
Hi All,
I've created a ticket to track this
https://fedorahosted.org/pki/ticket/1697
Rob - certutil output:
Some certificates types seem not to be approved. Not sure if this is a
red herring.
##############
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
#############
That's why I pointed you to the certutil man page to find out the
differnet usages to test. The C usage is SSL client usage. Depending on
the cert the usage may be different.
rob
Missed that. Here are those commands again with different certusage
checking
In short, they're all superficially valid.
##########
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is valid
[root@foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u V -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u V -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u J -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
####
However, the debug logs seem to indicate the 'caSigningCert cert-pki-ca'
is the one it has problems with.
####
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=signing
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByTag(signing)
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(caSigningCert cert-pki-ca,SSLCA)
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed: caSigningCert cert-pki-ca
[12/Nov/2015:12:41:35][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert
cert-pki-ca] CIMC certificate verification
#########
But further checking seems to indicate the cert passes the relevant
checks ( Y A L )
######
[root@foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u A -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u L -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
#####
Ok, yeah, we'll need to wait for the dogtag guys to chime in here or on
the ticket. Note that validity also depends on valid to/from dates so
you might check that too, but it's a stretch to suggest that's the problem.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
