<div dir="ltr">Hi,<div><br></div><div>We moved our CA-less FreeIPA install into production only few days ago and today I've noticed some problem with certificates.</div><div><br></div><div>This is FreeIPA 4.2 installation on Centos 7.2.</div><div><br></div><div>I've installed the first node with the following command:</div><div><br></div><div><div> ipa-server-install \</div><div> -U \</div><div> -r $REALM \</div><div> -n $DOMAIN \</div><div> -p $PASSWD \</div><div> -a $PASSWD \</div><div> --mkhomedir \</div><div> --setup-dns \</div><div> --no-forwarders \</div><div> --no-dnssec-validation \</div><div> --idstart=1100 \</div><div> --dirsrv-cert-file=${CERT_FILE} \</div><div> --dirsrv-cert-name=${CERT_NAME} \</div><div> --http-cert-file=${CERT_FILE} \</div><div> --http-cert-name=${CERT_NAME} \</div><div> --dirsrv-pin='' \</div><div> --http-pin=''</div></div><div><br></div><div>The ${CERT_FILE} was in PKCS12 format and it included the whole certificate chain (<span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">AddTrustExternalCARoot.pem -> USERTrustRSACA.pem -> GandiStandardSSLCA2.pem -> </span><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px"><a href="http://star.ipa.wandisco.com">star.ipa.wandisco.com</a></span><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px;line-height:20px">.crt)</span>:</div><div><br></div><div><div class="" style="line-height:20px;font-family:Consolas,"Bitstream Vera Sans Mono","Courier New",Courier,monospace;font-size:14px;color:rgb(51,51,51);margin:0px!important;padding:0px 1em 0px 0px!important;border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;white-space:nowrap!important;background-image:none!important;background-repeat:initial!important"><code class="" style="font-family:Consolas,"Bitstream Vera Sans Mono","Courier New",Courier,monospace!important;border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;color:rgb(0,0,0)!important;background:none!important">$ openssl verify -verbose -CAfile <(cat AddTrustExternalCARoot.pem USERTrustRSACA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt</code></div><div class="" style="line-height:20px;font-family:Consolas,"Bitstream Vera Sans Mono","Courier New",Courier,monospace;font-size:14px;color:rgb(51,51,51);margin:0px!important;padding:0px 1em 0px 0px!important;border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;white-space:nowrap!important;background-image:none!important;background-repeat:initial!important"><code class="" style="font-family:Consolas,"Bitstream Vera Sans Mono","Courier New",Courier,monospace!important;border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;color:rgb(0,0,0)!important;background:none!important">star.ipa.wandisco.com.crt: OK</code></div></div><div><br></div><div>Today I've noticed that the /etc/ipa/ca.crt file is not the same across all nodes and I've attempted to fix it by running ipa-certupdate.</div><div><br></div><div>Now, instead of 3 CA certificates in /etc/ipa/ca.crt I can see 5 certificates (the last 2 are the same). To investigate this, I've split ca.cert into 5 separate files cert1-5:</div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">[root@shdc01 temp]# for i in {1..5}; do echo cert${i}; openssl x509 -in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
cert2
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
cert3
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
cert4
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
cert5
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority</pre></div><div>As you can see, cert4 and cert5 are equal yet listed twice and they are completely different to cert3 - the one from the certificate chain supplied by SSL provider.</div><div><br></div><div>As per our previous conversation with Jan Cholasta, cert4/5 must have been added (by ipa-certupdate?) from certificates available on the server (ca-certificates package?).</div><div><br></div><div>So now, we ended up with having "USERTrust RSA Certification Authority - AddTrust AB" listed twice - one of them is correct (from the chain), the other one is incorrect:</div><div><br></div><div><div>[root@shdc01 ~]# certutil -L -d /etc/pki/nssdb/</div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>AddTrust External CA Root - AddTrust AB ,,</div><div>USERTrust RSA Certification Authority - AddTrust AB ,,</div><div>Gandi Standard SSL CA 2 - The USERTRUST Network C,,</div><div>USERTrust RSA Certification Authority - AddTrust AB ,,</div></div><div><br></div><div><br></div><div><div>[root@shdc01 ~]# certutil -L -d /etc/httpd/alias/</div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>GandiWildcardIPA u,u,u</div><div>AddTrust External CA Root - AddTrust AB ,,</div><div>USERTrust RSA Certification Authority - AddTrust AB ,,</div><div>Gandi Standard SSL CA 2 - The USERTRUST Network C,,</div><div>USERTrust RSA Certification Authority - AddTrust AB ,,</div></div><div><br></div><div><br></div><div><div>[root@shdc01 ~]# certutil -L -d /etc/pki/nssdb/</div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>USERTrust RSA Certification Authority - AddTrust AB ,,</div><div>AddTrust External CA Root - AddTrust AB ,,</div><div>USERTrust RSA Certification Authority - AddTrust AB ,,</div><div>Gandi Standard SSL CA 2 - The USERTRUST Network C,,</div></div><div><br></div><div><br></div><div>Now, if I try to query FreeIPA's LDAP directory (for example using ldapsearch), I get the following errors:</div><div><br></div><div><div>TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)</div><div>TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure</div><div>TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).<br></div></div><div><br></div><div>We can clearly see that the certificate chain advertised by the server is not correct hence it's failing SSL handshake:</div><div><br></div><div><div>$ openssl s_client -connect <a href="http://shdc01.ipa.wandisco.com:636">shdc01.ipa.wandisco.com:636</a></div></div><div>CONNECTED(00000003)<br></div><div><div>depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority</div><div>verify error:num=19:self signed certificate in certificate chain</div><div>verify return:0</div><div>---</div><div>Certificate chain</div><div> 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.<a href="http://ipa.wandisco.com">ipa.wandisco.com</a></div><div> i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2</div><div> 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2</div><div> i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority</div><div> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority</div><div> i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority</div></div><div><br></div><div><br></div><div>Please correct me if I'm wrong, but I think that in order to fix this we will need to remove the incorrectly added certificate "USERTrust RSA Certification Authority - AddTrust AB", but which one since there 2 with exactly the same nickname? </div><div><br></div><div>I haven't made any further changes to any of the servers as I would like to get your input first.</div><div><br></div><div>Please get back to me as soon as possible, it is very important for us to recover from this state in a timely manner.</div><div><br></div><div>I'm available on #freeipa under nickname peterpakos.</div><div><br></div><div>Thanks in advance for your help.</div><div><br></div><div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Kind regards,<div> Peter Pakos</div></div></div>
</div></div>