[Freeipa-users] Public CA signed Certificate import failure

James Roman james_roman at ssaihq.com
Tue Jul 21 18:17:35 UTC 2009 

James Roman wrote:
> Rob Crittenden wrote:
>> James Roman wrote:
>>> Rob Crittenden wrote:
>>>> James Roman wrote:
>>>>> First off, thanks Rob for the direction on creating a certificate. 
>>>>> After reading up on Mozilla's NSS, I think I've got a pretty fair 
>>>>> grounding.
>>>>>
>>>>> So I successfully generated a CSR and had it signed. I imported my 
>>>>> certificate and CA chain into the NSS database and exported it to 
>>>>> a PKCS12 cert. I am primarily concerned with using the public cert 
>>>>> on the HTTP interface. However, when I go to import it using 
>>>>> ipa-server-certificate, it chokes on the names in the CA 
>>>>> certificate chain. (One of the certs uses full website address for 
>>>>> the name.) I can manually import each of the certificates in the 
>>>>> CA chain using certutil on the /etc/httpd/alias directory.
>>>>
>>>> What do you mean by choke? Do you have a python backtrace or can 
>>>> you send me the ipaserver-install.log?
>>> Here is what I get when importing the p12 file using 
>>> "ipa-server-certinstall". The reasons for the errors are fairly 
>>> self-evident when you see how it parses the command line arguments.
>>>
>>> # ipa-server-certinstall -w 
>>> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx 
>>> --http_pin='mysecretpin'
>>> an unexpected error occurred: Command '/usr/bin/certutil -d 
>>> /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" 
>>> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, 
>>> Inc. -t CT,CT,' returned non-zero exit status 255
>>> Traceback (most recent call last):
>>>  File "/usr/sbin/ipa-server-certinstall", line 137, in main
>>>    server_cert = import_cert(dirname, pkcs12_fname, 
>>> options.http_pin, "")
>>>  File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
>>>    cdb.trust_root_cert(server_cert[0])
>>>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 
>>> 322, in trust_root_cert
>>>    "-t", "CT,CT,"])
>>>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 
>>> 126, in run_certutil
>>>    return ipautil.run(new_args, stdin)
>>>  File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in 
>>> run
>>>    raise CalledProcessError(p.returncode, ' '.join(args))
>>> CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias 
>>> -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 
>>> Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' 
>>> returned non-zero exit status 255
>>>
>>> I'm left with most of the certificate chain
>>
>> Ok, we shouldn't need to mess with builtin CAs at all.
>>
>> Can you file a bug on this?
>>
>> In the meantime, this patch should fix things for you:
>>
>> diff --git a/ipa-server/ipaserver/certs.py 
>> b/ipa-server/ipaserver/certs.py
>> index 8cb1d08..610ca1d 100644
>> --- a/ipa-server/ipaserver/certs.py
>> +++ b/ipa-server/ipaserver/certs.py
>> @@ -318,8 +318,9 @@ class CertDB(object):
>>      def trust_root_cert(self, nickname):
>>          root_nickname = self.find_root_cert(nickname)
>>
>> -        self.run_certutil(["-M", "-n", root_nickname,
>> -                           "-t", "CT,CT,"])
>> +        if root_nickname is not None and root_nickname[:7] != 
>> "Builtin":
>> +            self.run_certutil(["-M", "-n", root_nickname,
>> +                               "-t", "CT,CT,"])
>>
>>      def find_server_certs(self):
>>          p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
>>
>> If you are careful you should be able to modify, as root, the IPA 
>> python source. You'll find it in 
>> /usr/lib/python2.5/site-packages/ipaserver/certs.py
>>
>> Indentation matters in python so be sure to apply this exactly.
>>
>> rob
> Well it worked partly. I was able to successfully import the 
> certificate for the webserver. It did not set the trust attributes on 
> the CA certificates (perhaps that was the point). If I run the command 
> to import the certificate for the directory server, it fails on a 
> different part of the CA chain now.
>
> # ipa-server-certinstall -d 
> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx 
> --dirsrv_pin='mysecretpin'
> Directory Manager password:
> an unexpected error occurred: Command '/usr/bin/certutil -d 
> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" 
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 
> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned 
> non-zero exit status 255
> Traceback (most recent call last):
>  File "/usr/sbin/ipa-server-certinstall", line 132, in main
>    server_cert = import_cert(dirname, pkcs12_fname, 
> options.dirsrv_pin, passwd)
>  File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
>    cdb.trust_root_cert(server_cert[0])
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325, 
> in trust_root_cert
>    "-t", "CT,CT,"])
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, 
> in run_certutil
>    return ipautil.run(new_args, stdin)
>  File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
>    raise CalledProcessError(p.returncode, ' '.join(args))
> CalledProcessError: Command '/usr/bin/certutil -d 
> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" 
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 
> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned 
> non-zero exit status 255
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Looking into this  a bit closer, my best guess is that the problem 
really exists in the find_root_cert routine. If I manually run certutil 
-O on my server certificate, I get:

"valicert.com" 
[E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 
Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation 
Network]

  "Go Daddy Class 2 Certification Authority" [OU=Go Daddy Class 2 
Certification Authority,O="The Go Daddy Group, Inc.",C=US]

    "Go Daddy Secure Certification Authority" 
[serialNumber=07969287,CN=Go Daddy Secure Certification 
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US]

      "servername server-cert" [CN=servername.realm.com,OU=Domain 
Control Validated,O=servername.realm.com]

It looks like it is choking on the quotes around the organization name. 
Does this routine really need to return the part between the square 
brackets? From what i've seen thus far, it does not look like the 
Distinguished Name is required for certificate management. Can the 
string just be chopped off after the friendly name?

More information about the Freeipa-users mailing list