Re: [Freeipa-users] Installation issues with sub-ca.
-12195 is SSL_ERROR_UNKNOWN_CA_ALERT in NSS. I wonder if the root chain you gave to the IPA installer was complete. rob I work with PEM file format, in the sub-ca certificate there aren't chains (but isn't a problem if i use a self-generated CA). (Moreover, the script has all the chain, the root certificate and the FreeIPA's certificate, so it's strange.) I try to add the chain follow this rule: http://www.digicert.com/ssl-support/pem-ssl-creation.htm, but the script crash (does't seem to support this method) I fear it's a problem of my CA, but i have no idea what goes wrong. Thank you for all ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 3.3.* bug with external-ca?
Hi, i'm trying to install FreeIPA with external CA (again) Now i use FreeIPA 3.3.* and i found a strange error on [17/22]: requesting RA certificate from CA: 2013-11-08T11:07:38Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1096, in main subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1089, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on the line 1089: # Send the request to the CA conn = httplib.HTTPConnection( self.fqdn, self.dogtag_constants.UNSECURE_PORT) params = urllib.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', 'cert_request': csr, 'xmlOutput': 'true'}) headers = {Content-type: application/x-www-form-urlencoded, Accept: text/plain} conn.request(POST, /ca/ee/ca/profileSubmit, params, headers) res = conn.getresponse() if res.status == 200: data = res.read() conn.close() doc = xml.dom.minidom.parseString(data) item_node = doc.getElementsByTagName(RequestId) self.requestId = item_node[0].childNodes[0].data -- exception: IndexError: list index out of range doc.unlink() self.requestId = self.requestId.strip() if self.requestId is None: raise RuntimeError(Unable to determine RA certificate requestId) I read the value of data: ?xml version=1.0 encoding=UTF-8 standalone=no? XMLResponse Status1/Status ErrorProfile caServerCert Not Found/Error /XMLResponse Can someone help me? Thank you ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?
Here the log /var/log/pki/pki-tomcat/ca/debug [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = /ca/ee/ca/profileSubmit [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='xmlOutput' value='true' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='profileId' value='caServerCert' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request' value='MIICazCCAVMCAQ...[omissis]' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start to service. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal false [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data provided in processing request: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 13:40:43 CET 2013 id=caProfileSubmit time=100 Log /var/log/pki/pki-tomcat/ca/system: 1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException Thank you ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Yes Does rpm -V pki-ca pass? No response Can openssl x509 -text -in /path/to/ca.crt show the cert ok? Certificate: Data: Version: 3 (0x2) Serial Number: 1383914316 (0x527cdb4c) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=DBM Validity Not Before: Nov 8 12:38:37 2013 GMT Not After : Feb 16 12:38:38 2014 GMT Subject: O=DBMSRL.COM, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:4b... [omissis] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: email:d...@dbmsrl.com X509v3 Extended Key Usage: Code Signing, OCSP Signing, Time Stamping X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 2D:21:C5:07... [omissis] X509v3 Authority Key Identifier: keyid:2A:B7... [omissis] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation issues with sub-ca.
I found the reason for the failure of the installation. The script uses a NSS db locate under /tmp: --- Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipa-ca-agent u,u,u Certificate Authority - dbmsrl.com ,,c D.B.M. CA - dbmsrl.com c,c, testnick P,, --- The trust attributes are strange (not trusted) and the chain is broken: --- [root@dbm13 cert]# certutil -d [temp db] -O -n Certificate Authority - dbmsrl.com D.B.M. CA - dbmsrl.com [O=dbmsrl.com,OU=office,OU=services,CN=D.B.M. CA] Certificate Authority - dbmsrl.com [CN=Certificate Authority,O=DBMSRL.COM] [root@dbm13 cert]# certutil -d [temp db] -O -n ipa-ca-agent ipa-ca-agent [CN=ipa-ca-agent,O=DBMSRL.COM] --- I try to export all the certificates in PEM format, if i check the signature with openssl all work perfectly... The chain is valid, but NSS don't see it for ipa-ca-agent certificate. (sslget return SSL_ERROR_UNKNOWN_CA_ALERT when the script try to use this certificate.) Now i know what is the problem, but i don't know how fix it XD Can anyone help me? Thank you ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation issues with sub-ca.
This is incorrect. To validate a certificate you only need the CA public keys, not the private ones. Only having the ipa-ca-agent key is right. This is a temporary database, not the CA database. We are using this cert to request some information about itself from the CA in this case. You're right, I thought that the script use a temporary db to create the final database, but it's only to connect with sslget. I think there is an issue with one of the CA certs but I've yet to duplicate it or identify what is wrong. I'm still waiting on word back from one of the NSS devs. I did some tests: The error occurs when I use a CA managed by EJBCA, if I use a CA generated by openssl or nss everything works properly. The problem is that i can't reproduce the bug in an external nss db... but maybe I don't follow the same steps that uses the installation script. Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation issues with sub-ca.
The issue is one is encoded as a UTF8 string and the other is encoded as a printable string. This makes the binary derSubject and derIssuer fields different. NSS does not like derSubject and derIssuer fields that are different Wow, that was the problem! Now it works! To fix must go to EJBCA Administration and activate PrintableString encoding in DN option in a new CA. Thank you very much, your help has been fundamental :-) Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation issues with sub-ca. [SOLVED]
The problem is the encoding of the certificate subject, some CA use UTF-8 (like EJBCA), contrariwise NSS create certificates with subject in ASCII. The error occurs during the installation on the step issuing RA agent certificate, when sslget try to use the TLS certificate ipa-ca-agent and fail with error code -12195. This error (SSL_ERROR_UNKNOWN_CA_ALERT) means that ipa-ca-agent is signed by a missing CA. If you open the NSS database used by sslget you can see the correct CA chain, but you can't follow this chain from ipa-ca-agent, this is the cause of the error explained above. NSS for follow the chain make a bit-to-bit compare to the derSubject and derIssuer fields, but can't match because one is in UTF-8 and other is in ASCII. For fix, you must use the old mode (PrintableString) for sign the FreeIPA sub-ca certificate, in EJBCA just make a new root CA with the option PrintableString encoding in DN enabled. Thanks for the help. Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NSPR Error -8015
Hi I have a strange error on one FreeIPA client (on my other client doesn't occur) when i try to call the FreeIPA admin tools (example: ipa ping) On the CLI the error prints: ipa: ERROR: cannot connect to u'https://myipaserver/ipa/xml': [Errno -8015] error (-8015) unknown The client working perfectly in the FreeIPA network, it's only a problem of CLI command. I try to connect through the python API, and i obtain this traceback: Traceback (most recent call last): File input, line 1, in module File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __cal l__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 748, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forwa rd return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 743, in forward raise NetworkError(uri=server, error=str(e)) NetworkError: cannot connect to u'https://myipaserver/ipa/xml': [ Errno -8015] error (-8015) unknown On the line 743 we found: except NSPRError, e: raise NetworkError(uri=server, error=str(e)) Can someone help me? Thank you Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Full certificate renewal
SOLVED I forgot to update the certificates in /etc/pki-ca/CS.cfg Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users