[Freeipa-users] ipa-getcert list fails to report correctly
Rob Crittenden
rcritten at redhat.com
Fri Feb 20 14:39:03 UTC 2015
Martin Kosek wrote:
> On 02/20/2015 06:56 AM, Les Stott wrote:
>> Hi all,
>>
>> The following is blocking the ability for me to install a CA replica.
>>
>> Environment:
>>
>> RHEL 6.6
>>
>> IPA 3.0.0-42
>>
>> PKI 9.0.3-38
>>
>> On the master the following is happening:
>>
>> ipa-getcert list
>>
>> Number of certificates and requests being tracked: 5.
>>
>> (but it shows no certificate details in the output)
>>
>> Running “getcert list” shows complete output.
>>
>> Also, when trying to browse
>> https://master.mydomain.com/ca/ee/ca/getCertChain i
>> get a failed response. The apache error logs on the master show….
>>
>> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
>> client cannot
>> verify your certificate
>>
>> The reason I am trying to browse that address is because that’s what the
>> ipa-ca-install setup is failing at (it complains that the CA
>> certificate is not
>> in proper format, in fact it’s not able to get it at all).
>>
>> I know from another working ipa setup that ….
>>
>> Browsing to the above address provides valid xml content and
>> ipa-getcert list
>> shows certificate details and not just the number of tracked
>> certificates.
>>
>> Been trying for a long time to figure out the issues without luck.
>>
>> I would greatly appreciate any help to troubleshoot and resolve the
>> above issues.
>>
>> Regards,
>>
>> Les
>
> Endi or JanC, would you have any advise for Les? To me, it looks like
> the Apache does not have proper certificate installed.
>
> My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in
> total of 8 certs tracked:
>
> # ipa-getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20141111000002':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=vm-086.example.com,O=EXAMPLE.COM
> expires: 2016-11-11 00:00:01 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20141111000047':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=vm-086.example.com,O=EXAMPLE.COM
> expires: 2016-11-11 00:00:46 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20141111000302':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=vm-086.example.com,O=EXAMPLE.COM
> expires: 2016-11-11 00:03:02 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> What is actually in your Apache NSS database?
>
> # certutil -L -d /etc/httpd/alias/
>
> Martin
>
Remember ipa-getcert is just a shortcut for certificates using the
certmonger CA named IPA, so it's more a filter than anything else. I
don't know why it wouldn't display any output but I'd file a bug.
I think we'd need to see the getcert list output to try to figure out
what is going on.
As for the SSL error fetching the cert chain I think Martin may be onto
something. The request is proxied through Apache. I think the client
here might be the Apache proxy client.
I believe this command replicates what Apache is doing, you might give
it a try on the master. This will get the chain directly from dogtag,
bypassing Apache:
$ curl -v --cacert /etc/ipa/ca.crt
https://`hostname`:9444/ca/ee/ca/getCertChain
rob
More information about the Freeipa-users
mailing list