[Freeipa-users] Public CA signed Certificate import failure

Rob Crittenden rcritten at redhat.com
Tue Jul 21 14:44:52 UTC 2009 

James Roman wrote:
> Rob Crittenden wrote:
>> James Roman wrote:
>>> First off, thanks Rob for the direction on creating a certificate. 
>>> After reading up on Mozilla's NSS, I think I've got a pretty fair 
>>> grounding.
>>>
>>> So I successfully generated a CSR and had it signed. I imported my 
>>> certificate and CA chain into the NSS database and exported it to a 
>>> PKCS12 cert. I am primarily concerned with using the public cert on 
>>> the HTTP interface. However, when I go to import it using 
>>> ipa-server-certificate, it chokes on the names in the CA certificate 
>>> chain. (One of the certs uses full website address for the name.) I 
>>> can manually import each of the certificates in the CA chain using 
>>> certutil on the /etc/httpd/alias directory.
>>
>> What do you mean by choke? Do you have a python backtrace or can you 
>> send me the ipaserver-install.log?
> Here is what I get when importing the p12 file using 
> "ipa-server-certinstall". The reasons for the errors are fairly 
> self-evident when you see how it parses the command line arguments.
> 
> # ipa-server-certinstall -w 
> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx 
> --http_pin='mysecretpin'
> an unexpected error occurred: Command '/usr/bin/certutil -d 
> /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go 
> Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t 
> CT,CT,' returned non-zero exit status 255
> Traceback (most recent call last):
>  File "/usr/sbin/ipa-server-certinstall", line 137, in main
>    server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
>  File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
>    cdb.trust_root_cert(server_cert[0])
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, 
> in trust_root_cert
>    "-t", "CT,CT,"])
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, 
> in run_certutil
>    return ipautil.run(new_args, stdin)
>  File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
>    raise CalledProcessError(p.returncode, ' '.join(args))
> CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n 
> Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 
> Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned 
> non-zero exit status 255
> 
> I'm left with most of the certificate chain

Ok, we shouldn't need to mess with builtin CAs at all.

Can you file a bug on this?

In the meantime, this patch should fix things for you:

diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index 8cb1d08..610ca1d 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -318,8 +318,9 @@ class CertDB(object):
      def trust_root_cert(self, nickname):
          root_nickname = self.find_root_cert(nickname)

-        self.run_certutil(["-M", "-n", root_nickname,
-                           "-t", "CT,CT,"])
+        if root_nickname is not None and root_nickname[:7] != "Builtin":
+            self.run_certutil(["-M", "-n", root_nickname,
+                               "-t", "CT,CT,"])

      def find_server_certs(self):
          p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,

If you are careful you should be able to modify, as root, the IPA python 
source. You'll find it in 
/usr/lib/python2.5/site-packages/ipaserver/certs.py

Indentation matters in python so be sure to apply this exactly.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090721/d9496d43/attachment.bin>

More information about the Freeipa-users mailing list