[Freeipa-users] ipa-getcert list fails to report correctly

Rob Crittenden rcritten at redhat.com
Fri Feb 20 14:39:03 UTC 2015 

Martin Kosek wrote:
> On 02/20/2015 06:56 AM, Les Stott wrote:
>> Hi all,
>>
>> The following is blocking the ability for me to install a CA replica.
>>
>> Environment:
>>
>> RHEL 6.6
>>
>> IPA 3.0.0-42
>>
>> PKI 9.0.3-38
>>
>> On the master the following is happening:
>>
>> ipa-getcert list
>>
>> Number of certificates and requests being tracked: 5.
>>
>> (but it shows no certificate details in the output)
>>
>> Running “getcert list” shows complete output.
>>
>> Also, when trying to browse
>> https://master.mydomain.com/ca/ee/ca/getCertChain i
>> get a failed response. The apache error logs on the master show….
>>
>> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
>> client cannot
>> verify your certificate
>>
>> The reason I am trying to browse that address is because that’s what the
>> ipa-ca-install setup is failing at (it complains that the CA
>> certificate is not
>> in proper format, in fact it’s not able to get it at all).
>>
>> I know from another working ipa setup that ….
>>
>> Browsing to the above address provides valid xml content and
>> ipa-getcert list
>> shows certificate details and not just the number of tracked
>> certificates.
>>
>> Been trying for a long time to figure out the issues without luck.
>>
>> I would greatly appreciate any help to troubleshoot and resolve the
>> above issues.
>>
>> Regards,
>>
>> Les
> 
> Endi or JanC, would you have any advise for Les? To me, it looks like
> the Apache does not have proper certificate installed.
> 
> My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in
> total of 8 certs tracked:
> 
> # ipa-getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20141111000002':
>     status: MONITORING
>     stuck: no
>     key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
>     certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>     CA: IPA
>     issuer: CN=Certificate Authority,O=EXAMPLE.COM
>     subject: CN=vm-086.example.com,O=EXAMPLE.COM
>     expires: 2016-11-11 00:00:01 UTC
>     key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>     eku: id-kp-serverAuth,id-kp-clientAuth
>     pre-save command:
>     post-save command:
>     track: yes
>     auto-renew: yes
> Request ID '20141111000047':
>     status: MONITORING
>     stuck: no
>     key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>     certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>     CA: IPA
>     issuer: CN=Certificate Authority,O=EXAMPLE.COM
>     subject: CN=vm-086.example.com,O=EXAMPLE.COM
>     expires: 2016-11-11 00:00:46 UTC
>     key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>     eku: id-kp-serverAuth,id-kp-clientAuth
>     pre-save command:
>     post-save command:
>     track: yes
>     auto-renew: yes
> Request ID '20141111000302':
>     status: MONITORING
>     stuck: no
>     key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>     certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>     CA: IPA
>     issuer: CN=Certificate Authority,O=EXAMPLE.COM
>     subject: CN=vm-086.example.com,O=EXAMPLE.COM
>     expires: 2016-11-11 00:03:02 UTC
>     key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>     eku: id-kp-serverAuth,id-kp-clientAuth
>     pre-save command:
>     post-save command:
>     track: yes
>     auto-renew: yes
> 
> 
> What is actually in your Apache NSS database?
> 
> # certutil -L -d /etc/httpd/alias/
> 
> Martin
> 

Remember ipa-getcert is just a shortcut for certificates using the
certmonger CA named IPA, so it's more a filter than anything else. I
don't know why it wouldn't display any output but I'd file a bug.

I think we'd need to see the getcert list output to try to figure out
what is going on.

As for the SSL error fetching the cert chain I think Martin may be onto
something. The request is proxied through Apache. I think the client
here might be the Apache proxy client.

I believe this command replicates what Apache is doing, you might give
it a try on the master. This will get the chain directly from dogtag,
bypassing Apache:

$ curl -v --cacert /etc/ipa/ca.crt
https://`hostname`:9444/ca/ee/ca/getCertChain

rob

More information about the Freeipa-users mailing list