On Tue, Mar 24, 2020 at 02:20:17PM -0000, Hristina Marosevic wrote:
> > On Wed, Mar 18, 2020 at 10:42:52AM -0000, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > can you send the output of
> >
> > ls -al /etc/pki/nssdb
> >
> > and
> >
> > certutil -L -d /etc/pki/nssdb -h all
> >
> > bye,
> > Sumit
>
>
> Hello Sumit,
>
> Somehow, today I didn't get any error when executing certutil command. In
> meanwhile I didn't do anything different, except for the sssd and sshd
> restart.
> Few days ago, I couldn't add nor list the existing certificates in the nssdb
> using certutil.
> Now, when this is working, I added the two CA certs in the chain of the
> user's public certificate. One is intermediate, and one is root CA.
> Too add the intermediate and root CA certs in the nssdb, I used der fomrats
> of the certificates and the following command for each one of them:
> certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
> /etc/pki/nssdb
>
> You asked me to list the nssdb directory. Here is the result:
> $ ls -al /etc/pki/nssdb
> total 132
> drwxr-xr-x. 2 root root 4096 Mar 6 10:34 .
> drwxr-xr-x. 10 root root 4096 Jan 24 2019 ..
> -rw-r--r-- 1 root root 65536 Aug 7 2019 cert8.db
> -rw-r--r--. 1 root root 9216 Jan 24 2019 cert9.db
> -rw-r--r-- 1 root root 0 Mar 6 10:34 i#uiap
> -rw-r--r-- 1 root root 16384 Aug 7 2019 key3.db
> -rw-r--r--. 1 root root 11264 Jan 24 2019 key4.db
> -rw-r--r-- 1 root root 451 Aug 7 2019 pkcs11.txt
> -rw-r--r-- 1 root root 16384 Aug 7 2019 secmod.db
>
> After adding the certificates from the chain of the user's public
> certificate, following command:
> certutil -L -d /etc/pki/nssdb -h all
> resulted with:
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> root_KZ C,C,C
> intermediate_KZ C,C,C
>
>
> In the sssd section of the sssd.conf file the value for
> certificate_verification is no_ocsp. Using strace, recorded log of the
> p11_child about the pki authentication attempt is:
>
> .....
> stat("/home/oracle/secmod.db", 0x7ffcf6ee2350) = -1 ENOENT (No such file or
> directory)
> open("/home/oracle/secmod.db", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f2379ad3000
> read(4, "0\n", 1024) = 2
> close(4) = 0
> munmap(0x7f2379ad3000, 4096) = 0
> stat("/home/oracle/cert8.db", 0x7ffcf6ee1f30) = -1 ENOENT (No such file or
> directory)
> open("/home/oracle/cert8.db", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> stat("/home/oracle/cert7.db", 0x7ffcf6ee1f50) = -1 ENOENT (No such file or
> directory)
> open("/home/oracle/cert7.db", O_RDONLY) = -1 ENOENT (No such file or
> directory)
Hi,
did you change the 'ca_db' option in sssd.conf? If looks like a wrong
path '/home/oracle' is used for the NSS database.
bye,
Sumit
> access("/etc/pki/nss-legacy/nss-rhel7.config", R_OK) = 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f2379ad3000
> read(4, "0\n", 1024) = 2
> close(4) = 0
> munmap(0x7f2379ad3000, 4096) = 0
> open("/etc/pki/nss-legacy/nss-rhel7.config", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=257, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f2379ad3000
> read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the
> last empty line in this file must be
> preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
> allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n",
> 4096) = 257
> stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned",
> {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
> read(4, "", 4096) = 0
> close(4) = 0
> munmap(0x7f2379ad3000, 4096) = 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f2379ad3000
> read(4, "0\n", 1024) = 2
> close(4) = 0
> munmap(0x7f2379ad3000, 4096) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]]
> [do_verification] (0x0040): Certificate
> [(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222
> \320\242\320\225\320\241\320\242\320\242] not valid [-8179][Peer's
> Certificate issuer is not recognized.].\n", 309) = 309
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [do_work]
> (0x0400): Certificate is NOT valid.\n", 99) = 99
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [main]
> (0x0040): do_work failed.\n", 86) = 86
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [main]
> (0x0020): p11_child failed!\n", 88) = 88
> close(1) = 0
> exit_group(1) = ?
> +++ exited with 1 +++
>
>
> "Peer's Certificate issuer is not recognized" - why is this appearing in the
> logs if the CA certs are already imported in the nssdb?
>
> This line is also not clear to me:
> "mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f2379ad3000
> read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the
> last empty line in this file must be
> preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
> allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n",
> 4096) = 257"
> What is it about?
>
>
> Thank you for your help!
> Hristina M.
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
