[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

Marat Vyshegorodtsev marat.vyshegorodtsev at gmail.com
Thu Nov 5 13:39:48 UTC 2015 

Hi!

I've been fighting for the past week with FreeIPA and trying to make
it work with my own CA certificate that is ECDSA_SHA256.

Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work
(basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut.

The command I used is:

ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm
MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE'
--admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended
--no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file
/etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT'
--ca-cert-file /etc/ipa/myownca.pem

In this case, installation fails at the following step:
Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
'/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap'
'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit
status 1

In /var/log/ipaserver-install.log I see a message:
DEBUG stderr=ldap_start_tls: Protocol error (2)
        additional info: SSL not supported by this server.

Basically, LDAP is broken now (it doesn't allow connecting without -ZZ
flag, and fails with it, since TLS is misconfigured at this point).

What actually happens, LDAP gets configured to use RSA as a key
exchange algorithm, and fails, since the cert is an ECC cert.

In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see:
[05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server
key/certificate is bad for cert FreeIPA of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200
- The certificate provided cannot be used with the selected key
exchange algorithm.)

This is configured by ipaserver/install/dsinstance.py under def __enable_ssl:

       entry = conn.make_entry(
            DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
            objectclass=["top", "nsEncryptionModule"],
            cn=["RSA"],
            nsSSLPersonalitySSL=[self.nickname],
            nsSSLToken=["internal (software)"],
            nsSSLActivation=["on"],
        )
        conn.add_entry(entry)

My question is, is it possible to replace RSA with ECDSA here? If so,
what parameters should I pass to LDAP?

If this is fixable, can someone add autodetect of the type of the
certificate and enable appropriate algorithms in LDAP and Apache?

Best regards,
Marat Vyshegorodtsev

More information about the Freeipa-users mailing list