Re: [Freeipa-users] IPA with external CA signed certs

2015-11-13 Thread Gronde, Christopher (Contractor)
THAT WORKED THANKS ROB!! I OWE YOU A BEER!

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, November 13, 2015 9:29 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; James 
Masson <james.mas...@jmips.co.uk>; Martin Kosek <mko...@redhat.com>; 
freeipa-users@redhat.com; Jan Cholasta <jchol...@redhat.com>; David Kupka 
<dku...@redhat.com>; Endi Sukma Dewata <edew...@redhat.com>
Subject: Re: [Freeipa-users] IPA with external CA signed certs

Gronde, Christopher (Contractor) wrote:
> For those of you that have been helping me...thank you!  For all those 
> following along here is the status of my issues.
>
> I ended up replacing the krbprincipal key and the user certificate in LDAP to 
> match what is on the master and I am no longer getting the invalid 
> credentials error!  So thanks for that!
>
> Unfortunately, krb5kdc still will not start...
>
> When trying to run:
>
> ldapsearch -Y EXTERNAL -H 
> ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b 
> "cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*
>
> I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "
>
> So we did a strace on that to see if we could find anything and I found:
>
> connect(3, {sa_family=AF_LOCAL, 
> sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 110) = -1 ECONNREFUSED 
> (Connection refused)
>
> So it looks like an issue with the listening socket.  Ran some more tests on 
> the socket...
>
> [root@comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket 
> srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 
> /var/run/slapd-ITMODEV-GOV.socket
>
> So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.
>
> Anybody know what I need to do to fix the socket?

Here are a few random ideas:

Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif (to 
your /var/run/slapd-INSTANCE.socket)

Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on  (also
dse.ldif)

Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.

Try removing the socket and restarting dirsrv

Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-11-13 Thread Rob Crittenden

Gronde, Christopher (Contractor) wrote:

For those of you that have been helping me...thank you!  For all those 
following along here is the status of my issues.

I ended up replacing the krbprincipal key and the user certificate in LDAP to 
match what is on the master and I am no longer getting the invalid credentials 
error!  So thanks for that!

Unfortunately, krb5kdc still will not start...

When trying to run:

ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b 
"cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*

I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) "

So we did a strace on that to see if we could find anything and I found:

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 
110) = -1 ECONNREFUSED (Connection refused)

So it looks like an issue with the listening socket.  Ran some more tests on 
the socket...

[root@comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket
srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 
/var/run/slapd-ITMODEV-GOV.socket

So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.

Anybody know what I need to do to fix the socket?


Here are a few random ideas:

Ensure that nsslapd-ldapifilepath points to the right place in dse.ldif 
(to your /var/run/slapd-INSTANCE.socket)


Ensure that nsslapd-ldapilisten and nsslapd-ldapiautobind are on  (also 
dse.ldif)


Remember that to tweak dse.ldif directly dirsrv needs to be shutdown.

Try removing the socket and restarting dirsrv

Look for SELinux AVCs (though your context looks right):
# ausearch -m AVC -ts recent

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-11-13 Thread Gronde, Christopher (Contractor)
For those of you that have been helping me...thank you!  For all those 
following along here is the status of my issues.

I ended up replacing the krbprincipal key and the user certificate in LDAP to 
match what is on the master and I am no longer getting the invalid credentials 
error!  So thanks for that!

Unfortunately, krb5kdc still will not start...

When trying to run:

ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-ITMODEV-GOV.socket -b 
"cn=ITMODEV.GOV,cn=kerberos,dc=itmodev,dc=gov" krbMKey=*

I get " ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) " 

So we did a strace on that to see if we could find anything and I found:

connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/slapd-ITMODEV-GOV.socket"}, 
110) = -1 ECONNREFUSED (Connection refused)

So it looks like an issue with the listening socket.  Ran some more tests on 
the socket...

[root@comipa02 ~]# ls -lZ /var/run/slapd-ITMODEV-GOV.socket
srw-rw-rw-. root root system_u:object_r:dirsrv_var_run_t:s0 
/var/run/slapd-ITMODEV-GOV.socket

So the socket exists but " lsof -U -a -udirsrv" gives me no return...nothing.

Anybody know what I need to do to fix the socket?





-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden
Sent: Thursday, November 12, 2015 11:15 AM
To: James Masson <james.mas...@jmips.co.uk>; Martin Kosek <mko...@redhat.com>; 
freeipa-users@redhat.com; Jan Cholasta <jchol...@redhat.com>; David Kupka 
<dku...@redhat.com>; Endi Sukma Dewata <edew...@redhat.com>
Subject: Re: [Freeipa-users] IPA with external CA signed certs

James Masson wrote:
>
>
> On 12/11/15 15:21, Rob Crittenden wrote:
>> James Masson wrote:
>>>
>>>
>>> On 30/10/15 13:52, Rob Crittenden wrote:
>>>> James Masson wrote:
>>>>>
>>>>>
>>>>> On 26/10/15 16:11, Martin Kosek wrote:
>>>>>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>>>>>> James Masson wrote:
>>>>>>>>>
>>>>>>>>> Hi list,
>>>>>>>>>
>>>>>>>>> I successfully have IPA working with CA certs signed by an 
>>>>>>>>> upstream Dogtag.
>>>>>>>>>
>>>>>>>>> Now I'm trying to use a CA cert signed by a different type of 
>>>>>>>>> CA - Vault.
>>>>>>>>>
>>>>>>>>> Setup fails, using the same 2 step IPA setup process as used 
>>>>>>>>> with upstream Dogtag. I've also tried the external-ca-type option.
>>>>>>>>>
>>>>>>>>> Likely, IPA doesn't like the certificate - however, I can't 
>>>>>>>>> pinpoint why.
>>>>>>>>
>>>>>>>> I'm guessing you don't include the entire CA certchain of Vault.
>>>>>>>> Dogtag
>>>>>>>> is failing to startup because it can't verify its own cert chain:
>>>>>>>>
>>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>>> CAPresence:  CA is present
>>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>>> SystemCertsVerification: system certs verification failure
>>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>>> SelfTestSubsystem: The CRITICAL self test plugin called 
>>>>>>>> selftests.container.instance.SystemCertsVerification running at 
>>>>>>>> startup FAILED!
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi Rob,
>>>>>>>
>>>>>>> Thanks for the reply.
>>>>>>>
>>>>>>> I do present the IPA installer with both the CA and the IPA cert 
>>>>>>> - the IPAs python-based install code is happy with the cert 
>>>>>>> chain, but the Java based dogtag code chokes on it.
>>>>>>>
>>>>>>> OpenSSL is happy with it too.
>>>>>>>
>>>>>>> #
>>>>>>> [root@foo ~]# openssl verify ipa.crt
>>>>>>> ipa.crt: O = LOCAL, CN = Certif

Re: [Freeipa-users] IPA with external CA signed certs

2015-11-12 Thread James Masson



On 30/10/15 13:52, Rob Crittenden wrote:

James Masson wrote:



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream
Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA -
Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?


I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob



Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a 
red herring.


##
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'

certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'root.com'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'subsystemCert cert-pki-ca'

certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'auditSigningCert cert-pki-ca'

certutil: certificate is valid
#

regards

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-11-12 Thread Rob Crittenden

James Masson wrote:



On 30/10/15 13:52, Rob Crittenden wrote:

James Masson wrote:



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream
Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA -
Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault.
Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at
startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?


I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob



Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a
red herring.

##
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
#


That's why I pointed you to the certutil man page to find out the 
differnet usages to test. The C usage is SSL client usage. Depending on 
the cert the usage may be different.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-11-12 Thread James Masson



On 12/11/15 15:21, Rob Crittenden wrote:

James Masson wrote:



On 30/10/15 13:52, Rob Crittenden wrote:

James Masson wrote:



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream
Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA -
Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault.
Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at
startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?


I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob



Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a
red herring.

##
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
#


That's why I pointed you to the certutil man page to find out the
differnet usages to test. The C usage is SSL client usage. Depending on
the cert the usage may be different.

rob


Missed that. Here are those commands again with different certusage checking

In short, they're all superficially valid.

##
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'

certutil: certificate is valid

[root@foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n 
'root.com'

certutil: certificate is valid


[root@foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n 
'ocspSigningCert cert-pki-ca'

certutil: certificate is valid


Re: [Freeipa-users] IPA with external CA signed certs

2015-11-12 Thread Rob Crittenden

James Masson wrote:



On 12/11/15 15:21, Rob Crittenden wrote:

James Masson wrote:



On 30/10/15 13:52, Rob Crittenden wrote:

James Masson wrote:



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an
upstream
Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA -
Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault.
Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at
startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as
appropriate.



Any thoughts guys?


I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it
might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going
on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob



Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a
red herring.

##
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
#


That's why I pointed you to the certutil man page to find out the
differnet usages to test. The C usage is SSL client usage. Depending on
the cert the usage may be different.

rob


Missed that. Here are those commands again with different certusage
checking

In short, they're all superficially valid.

##
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid

[root@foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is valid


[root@foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: 

Re: [Freeipa-users] IPA with external CA signed certs

2015-10-30 Thread Rob Crittenden
James Masson wrote:
> 
> 
> On 26/10/15 16:11, Martin Kosek wrote:
>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>
>>>
>>> On 19/10/15 21:06, Rob Crittenden wrote:
 James Masson wrote:
>
> Hi list,
>
> I successfully have IPA working with CA certs signed by an upstream
> Dogtag.
>
> Now I'm trying to use a CA cert signed by a different type of CA -
> Vault.
>
> Setup fails, using the same 2 step IPA setup process as used with
> upstream Dogtag. I've also tried the external-ca-type option.
>
> Likely, IPA doesn't like the certificate - however, I can't
> pinpoint why.

 I'm guessing you don't include the entire CA certchain of Vault. Dogtag
 is failing to startup because it can't verify its own cert chain:

 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
 CAPresence:  CA is present
 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
 SystemCertsVerification: system certs verification failure
 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
 SelfTestSubsystem: The CRITICAL self test plugin called
 selftests.container.instance.SystemCertsVerification running at startup
 FAILED!

 rob

>>>
>>>
>>> Hi Rob,
>>>
>>> Thanks for the reply.
>>>
>>> I do present the IPA installer with both the CA and the IPA cert -
>>> the IPAs
>>> python-based install code is happy with the cert chain, but the Java
>>> based
>>> dogtag code chokes on it.
>>>
>>> OpenSSL is happy with it too.
>>>
>>> #
>>> [root@foo ~]# openssl verify ipa.crt
>>> ipa.crt: O = LOCAL, CN = Certificate Authority
>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>>
>>> [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>>> ipa.crt: OK
>>> ###
>>>
>>> Any hints on how to reproduce this with more debug output? I'd like
>>> to know
>>> exactly what Dogtag doesn't like about the certificate.
>>>
>>> thanks
>>>
>>> James M
>>
>> Let me CC at least Jan Ch. and David, they may be able to help and
>> should also
>> make sure FreeIPA gets better in validating the certs, as appropriate.
>>
> 
> Any thoughts guys?

I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-10-28 Thread James Masson



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the IPAs
python-based install code is happy with the cert chain, but the Java based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-10-26 Thread James Masson



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the 
IPAs python-based install code is happy with the cert chain, but the 
Java based dogtag code chokes on it.


OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like to 
know exactly what Dogtag doesn't like about the certificate.


thanks

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-10-26 Thread Martin Kosek
On 10/26/2015 04:05 PM, James Masson wrote:
> 
> 
> On 19/10/15 21:06, Rob Crittenden wrote:
>> James Masson wrote:
>>>
>>> Hi list,
>>>
>>> I successfully have IPA working with CA certs signed by an upstream Dogtag.
>>>
>>> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
>>>
>>> Setup fails, using the same 2 step IPA setup process as used with
>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>
>>> Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
>>
>> I'm guessing you don't include the entire CA certchain of Vault. Dogtag
>> is failing to startup because it can't verify its own cert chain:
>>
>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>> CAPresence:  CA is present
>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>> SystemCertsVerification: system certs verification failure
>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>> SelfTestSubsystem: The CRITICAL self test plugin called
>> selftests.container.instance.SystemCertsVerification running at startup
>> FAILED!
>>
>> rob
>>
> 
> 
> Hi Rob,
> 
> Thanks for the reply.
> 
> I do present the IPA installer with both the CA and the IPA cert - the IPAs
> python-based install code is happy with the cert chain, but the Java based
> dogtag code chokes on it.
> 
> OpenSSL is happy with it too.
> 
> #
> [root@foo ~]# openssl verify ipa.crt
> ipa.crt: O = LOCAL, CN = Certificate Authority
> error 20 at 0 depth lookup:unable to get local issuer certificate
> 
> [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
> ipa.crt: OK
> ###
> 
> Any hints on how to reproduce this with more debug output? I'd like to know
> exactly what Dogtag doesn't like about the certificate.
> 
> thanks
> 
> James M

Let me CC at least Jan Ch. and David, they may be able to help and should also
make sure FreeIPA gets better in validating the certs, as appropriate.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA with external CA signed certs

2015-10-19 Thread Rob Crittenden
James Masson wrote:
> 
> Hi list,
> 
> I successfully have IPA working with CA certs signed by an upstream Dogtag.
> 
> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
> 
> Setup fails, using the same 2 step IPA setup process as used with
> upstream Dogtag. I've also tried the external-ca-type option.
> 
> Likely, IPA doesn't like the certificate - however, I can't pinpoint why.

I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob

> 
> Errors below.
> 
> thanks
> 
> James M
> 
> ###
> -BEGIN CERTIFICATE-
> MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL
> BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx
> MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1
> MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc
> BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
> ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/
> NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR
> 6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4
> SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT
> IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6
> Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE
> FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8
> X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3
> DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+
> XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1
> lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw
> Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH
> pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg
> uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh
> -END CERTIFICATE-
> ###
> 
> ###
>   [19/27]: restarting certificate server
> ipa : CRITICAL Failed to restart the certificate server. See the
> installation log for details.
>   [20/27]: requesting RA certificate from CA
>   [error] RuntimeError: Unable to submit RA cert request
> ###
> 
> 
> ###
> 2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted
> 2015-10-15T14:44:31Z DEBUG Waiting for CA to start...
> 2015-10-15T14:44:32Z DEBUG request
> 'https://foo.local:8443/ca/admin/ca/getStatus'
> 2015-10-15T14:44:32Z DEBUG request body ''
> 2015-10-15T14:44:32Z DEBUG request status 404
> 2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found'
> 2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015
> 14:44:32 GMT', 'content-length': '993', 'content-type':
> 'text/html;charset=utf-8', 'content-language': 'en', 'server':
> 'Apache-Coyote/1.1'}
> 2015-10-15T14:44:32Z DEBUG request body 'Apache
> Tomcat/7.0.54 - Error report
> HTTP Status 404 - /ca/admin/ca/getStatus size="1" noshade="noshade">type Status
> reportmessage
> /ca/admin/ca/getStatusdescription The requested
> resource is not availa
> ble.Apache
> Tomcat/7.0.54'
> 2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted
> 2015-10-15T14:44:32Z DEBUG Waiting for CA to start...
> 2015-10-15T14:44:33Z DEBUG Traceback (most recent call last):
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 840, in __restart_instance
> self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 282, in restart
> self.service.restart(instance_name, capture_output=capture_output,
> wait=wait)
>   File
> "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 209, in restart
> self.wait_until_running()
>   File
> "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 197, in wait_until_running
> raise RuntimeError('CA did not start in %ss' % timeout)
> RuntimeError: CA did not start in 300.0s
> 
>