[Freeipa-users] CA cert issues

Rob Crittenden rcritten at redhat.com
Thu Jan 17 01:50:00 UTC 2013 

Orion Poplawski wrote:
> On 01/16/2013 04:28 PM, Orion Poplawski wrote:
>> I've installed ipa 2.2 on EL6.  I initially simply did an
>> ipa-server-install.
>>   Then I changed the cert used via ipa-server-certinstall to use a
>> wildcard
>> SSL cert issued by Comodo.  This has led to a lot of grief and needing to
>> install the Comodo CA chain into lots of SSL dbs.
>>
>> Now I'm looking at replicating the server with:
>>
>> ipa-replica-prepare ipapub.cora.nwra.com
>> --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=xxxxx
>> --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xxxxxx
>>
>> But I get:
>>
>> Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
>> Copying SSL certificate for the Directory Server from
>> STAR_cora_nwra_com.p12
>> Creating SSL certificate for the dogtag Directory Server
>> ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM"
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked as not
>> trusted by the user.)
>> preparation of replica failed: cannot connect to
>> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
>> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked
>> as not trusted by the user.
>> cannot connect to
>> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
>> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked
>> as not trusted by the user.
>>    File "/usr/sbin/ipa-replica-prepare", line 459, in <module>
>>      main()
>>
>>    File "/usr/sbin/ipa-replica-prepare", line 353, in main
>>      export_certdb(api.env.realm, ds_dir, dir, passwd_fname,
>> "dogtagcert",
>> replica_fqdn, subject_base)
>>
>>    File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
>>      raise e
>>
>> Any suggestions?
>>
>> I don't really understand how the dogtag ca fits in with this
>> scenario. Should
>> I just get rid of it?  Can I?
>>
>
> I (re?) added the dogtag ca cert to the /etc/httpd/alias db:
>
> certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a
>  > IPACA.asc
>
> certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu
>
> Now I get:
>
> Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
> Copying SSL certificate for the Directory Server from
> STAR_cora_nwra_com.p12
> Creating SSL certificate for the dogtag Directory Server
> Certificate issuance failed
>
> /var/log/pki-ca/debug shows:
>
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input
> Parameter requestor_name='IPA Installer'
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input
> Parameter xmlOutput='true'
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input
> Parameter profileId='caIPAserviceCert'
> [16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input
> Parameters
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId
> caIPAserviceCert
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator
> raCertAuth found
> [16/Jan/2013:16:46:35][http-9444-2]:
> ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs
> into profile Context
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set
> sslClientCertProvider
> [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start
> [16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is
> raCertAuth
> [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider
> [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving
> client certificate
> [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL
> Client Certs Found
> [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet:
> authentication error Invalid Credential.
>
> What cert needs to be created?  Aren't I already specifying the certs
> for the new server?
>
> Thanks.
>

We really need to put a big fat warning on this too: there be dragons.

It is really meant for v1 servers where we didn't have a full CA. The CA 
is really integrated into IPA v2+ such that replacing certs is going to 
cause some amount of grief (as you've seen).

I didn't think we blew away the existing NSS database using the tool, 
though it certainly sounds like we are.

What you're missing in the ipaCert in /etc/httpd/alias. This is used to 
authenticate to dogtag. Can you poke around in /etc/httpd to see if a 
backup was made, or use certutil to get a list of the nicknames in there?

I'm guessing it is trying to issue an SSL cert for the CA 389-ds 
instance. There are no cli options for providing that. Even if you did 
manage to get a prepared file you'd likely run into a whole new batch of 
install problems.

Sorry about that. We really need to decide whether this tool is worth 
supporting at all and fix it (or make it safer) or simply do away with 
it. Right now it's just a really sharp tool waiting to cut someone.

rob

More information about the Freeipa-users mailing list