[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Tue, Mar 24, 2020 at 02:20:17PM -0000, Hristina Marosevic wrote:
> 
> Hi,
> 
> please try to add them with
> 
>     certutil -A -n "CA cert nickname" -t CT,C,C -i /path/to/CA_cert_file -d
> /etc/pki/nssdb
> 
> (please note the additional 'T' for 'trusted CA for client
> authentication') and check if this makes a difference.
> 
> bye,
> Sumit




Hello,


I got the same error: 
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] 
[do_verification] (0x0040): Certificate 
[(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222
 \320\242\320\225\320\241\320\242\320\242] not valid [-8179][Peer's Certificate 
issuer is not recognized.].\n", 310) = 310
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [do_work] 
(0x0400): Certificate is NOT valid.\n", 100) = 100
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [main] 
(0x0040): do_work failed.\n", 87) = 87
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [main] 
(0x0020): p11_child failed!\n", 89) = 89
close(1)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++


What I did is: 
added the CA certs once again, as trusted: 

certutil -L -d /etc/pki/nssdb -h all                          
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

root_KZ                                                           CT,C,C
intermediate_KZ                                              CT,C,C

and stoppped sssd, emptyed its cache, started sssd, restarted sshd, afterwards.


BR,
Hristina M.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org