Re: [Freeipa-users] How to remove bad cert renewal from certmonger?
On Mon, 25 Apr 2016, Rob Crittenden wrote: Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: On 23.4.2016 1:23, EXT Rob Crittenden wrote: Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: Repetitio est mater studiorum: How I can clean this defective state of certmonger? # ipa-getcert stop-tracking -i 20160212110456 Ah! That was obvious! Thanks a lot Rob. Second question if/when the above urgent problem is solved: Is there any way to get IP address to SAN field for the IPA Server-Certs? Not without changing code. IP address SAN are explicitly forbidden: Subject alt name type IP Address is forbidden rob Is there any true reason why IP Address is forbidden by certmonger / freeipa? Or is it just "not implemented" kind of restriction? It is denied by IPA, not certmonger. IP addresses are frowned upon in certs in general and they are denied by IPA because the access control would be really difficult. Today a host must be granted access to issue certs with additional names in it. You can open a RFE for this on the IPA trac if you really need it. I'm not deeply familiar with the new profile support so perhaps it is possible to do this using the latest version of IPA, I'm not sure. Correct and no, it is not right now. Certificate profile defines what CA considers possible to grant when issuing a cert. CA doesn't have contextual logic -- that would be provided by an agent approving the cert. IPA framework is sitting in front of CA to put the context in place and could be considered such an agent, so we have logic to cross-check the request for fields that would be conflicting with IPA access controls. As it happens now, IPA framework disallows IP addresses. Adding support for that would need to get proper logic in place to decide which address spaces to allow being managing by a requesting party -- a host in your case as certmonger asks for the cert on behalf of the host. We don't have any system in place for that. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to remove bad cert renewal from certmonger?
Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: On 23.4.2016 1:23, EXT Rob Crittenden wrote: Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: Repetitio est mater studiorum: How I can clean this defective state of certmonger? # ipa-getcert stop-tracking -i 20160212110456 Ah! That was obvious! Thanks a lot Rob. Second question if/when the above urgent problem is solved: Is there any way to get IP address to SAN field for the IPA Server-Certs? Not without changing code. IP address SAN are explicitly forbidden: Subject alt name type IP Address is forbidden rob Is there any true reason why IP Address is forbidden by certmonger / freeipa? Or is it just "not implemented" kind of restriction? It is denied by IPA, not certmonger. IP addresses are frowned upon in certs in general and they are denied by IPA because the access control would be really difficult. Today a host must be granted access to issue certs with additional names in it. You can open a RFE for this on the IPA trac if you really need it. I'm not deeply familiar with the new profile support so perhaps it is possible to do this using the latest version of IPA, I'm not sure. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to remove bad cert renewal from certmonger?
On 23.4.2016 1:23, EXT Rob Crittenden wrote: Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: Repetitio est mater studiorum: How I can clean this defective state of certmonger? # ipa-getcert stop-tracking -i 20160212110456 Ah! That was obvious! Thanks a lot Rob. Second question if/when the above urgent problem is solved: Is there any way to get IP address to SAN field for the IPA Server-Certs? Not without changing code. IP address SAN are explicitly forbidden: Subject alt name type IP Address is forbidden rob Is there any true reason why IP Address is forbidden by certmonger / freeipa? Or is it just "not implemented" kind of restriction? -- tuomo.tikka...@nokia.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to remove bad cert renewal from certmonger?
Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: Hello all, I tried to renew the server HTTP certificates for two freeipa servers so that certs would have Subject Alternative Name (SAN) fields for all the addresses they have (two DNS names and IPs). I won't go to the details why this is required, but I started with ipa2 (slave) and immediately got problems. Some I managed to solve, but there is now problem to which I have not found any solution. How to remove from certmonger a renewal request that has a bad certificate request in it? What I did was: # ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain" -D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A "10.22.199.253" -A "10.10.1.253" This led to a problem that ipa2.lab-management-domain server was not as host in the freeipa. Added the needed info: # ipa host-add ipa2.lab-management-domain # ipa service-add HTTP/ipa2.lab-management-domain --force # ipa service-add-host HTTP/lab-management-domain --host ipa2.lab-management-domain Then I ran the above resubmit command again. This time the there was an error related to the -D "10.22.199.253" and -D "10.10.1.253" fields. And because it is not possible to use ipa host-add "10.22.199.253" I decided just to drop the -D fields with IP addresses, but left the -A options. And ran the resubmit command again. Now the error in ipa-getcert list command changed to tell that IP Address is forbidden: # ipa-getcert list -i "20160212110456" ... Request ID '20160212110456': status: MONITORING ca-error: Server at https://ipa2.lab-public-domain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Subject alt name type IP Address is forbidden). stuck: no ... That is the state where I now have stuck. I have tried the ipa-getcert resubmit command without any -D or -A fields but the error stays there. I took the "csr=" value from the file /var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request file. Using openssl I can see that it still contains SAN attribute with IP addresses and two odd fields that probably are there because of those -D "IP" fields I had at the beginning: # openssl req -in /tmp/request -text -noout . X509v3 Subject Alternative Name: DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain, othername:, othername:, IP Address:10.22.199.253, IP Address:10.10.1.253 . Repetitio est mater studiorum: How I can clean this defective state of certmonger? # ipa-getcert stop-tracking -i 20160212110456 Second question if/when the above urgent problem is solved: Is there any way to get IP address to SAN field for the IPA Server-Certs? Not without changing code. IP address SAN are explicitly forbidden: Subject alt name type IP Address is forbidden rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to remove bad cert renewal from certmonger?
Hello all, I tried to renew the server HTTP certificates for two freeipa servers so that certs would have Subject Alternative Name (SAN) fields for all the addresses they have (two DNS names and IPs). I won't go to the details why this is required, but I started with ipa2 (slave) and immediately got problems. Some I managed to solve, but there is now problem to which I have not found any solution. How to remove from certmonger a renewal request that has a bad certificate request in it? What I did was: # ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain" -D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A "10.22.199.253" -A "10.10.1.253" This led to a problem that ipa2.lab-management-domain server was not as host in the freeipa. Added the needed info: # ipa host-add ipa2.lab-management-domain # ipa service-add HTTP/ipa2.lab-management-domain --force # ipa service-add-host HTTP/lab-management-domain --host ipa2.lab-management-domain Then I ran the above resubmit command again. This time the there was an error related to the -D "10.22.199.253" and -D "10.10.1.253" fields. And because it is not possible to use ipa host-add "10.22.199.253" I decided just to drop the -D fields with IP addresses, but left the -A options. And ran the resubmit command again. Now the error in ipa-getcert list command changed to tell that IP Address is forbidden: # ipa-getcert list -i "20160212110456" ... Request ID '20160212110456': status: MONITORING ca-error: Server at https://ipa2.lab-public-domain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Subject alt name type IP Address is forbidden). stuck: no ... That is the state where I now have stuck. I have tried the ipa-getcert resubmit command without any -D or -A fields but the error stays there. I took the "csr=" value from the file /var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request file. Using openssl I can see that it still contains SAN attribute with IP addresses and two odd fields that probably are there because of those -D "IP" fields I had at the beginning: # openssl req -in /tmp/request -text -noout . X509v3 Subject Alternative Name: DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain, othername:, othername:, IP Address:10.22.199.253, IP Address:10.10.1.253 . Repetitio est mater studiorum: How I can clean this defective state of certmonger? Second question if/when the above urgent problem is solved: Is there any way to get IP address to SAN field for the IPA Server-Certs? The system is Centos7(.2) with and freeipa is installed from the repository: # cat /etc/centos-release CentOS Linux release 7.2.1511 (Core) # yum list installed | grep ipa ipa-admintools.x86_64 4.2.0-15.el7_2.6@updates ipa-client.x86_64 4.2.0-15.el7_2.6@updates ipa-python.x86_64 4.2.0-15.el7_2.6@updates ipa-server.x86_64 4.2.0-15.el7_2.6@updates ipa-server-dns.x86_64 4.2.0-15.el7_2.6@updates libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates python-iniparse.noarch 0.4-9.el7 @anaconda python-libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates sssd-ipa.x86_641.13.0-40.el7_2.1 @updates BR, -- Tuomo Tikkanen (a) nokia com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
