[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

Martin Kosek mkosek at redhat.com
Fri Nov 6 08:50:41 UTC 2015 

On 11/05/2015 02:39 PM, Marat Vyshegorodtsev wrote:
> Hi!
> 
> I've been fighting for the past week with FreeIPA and trying to make
> it work with my own CA certificate that is ECDSA_SHA256.
> 
> Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work
> (basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut.
> 
> The command I used is:
> 
> ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm
> MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE'
> --admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended
> --no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file
> /etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT'
> --ca-cert-file /etc/ipa/myownca.pem
> 
> In this case, installation fails at the following step:
> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
> 'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
> '/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap'
> 'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit
> status 1
> 
> In /var/log/ipaserver-install.log I see a message:
> DEBUG stderr=ldap_start_tls: Protocol error (2)
>         additional info: SSL not supported by this server.
> 
> Basically, LDAP is broken now (it doesn't allow connecting without -ZZ
> flag, and fails with it, since TLS is misconfigured at this point).
> 
> What actually happens, LDAP gets configured to use RSA as a key
> exchange algorithm, and fails, since the cert is an ECC cert.
> 
> In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see:
> [05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server
> key/certificate is bad for cert FreeIPA of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200
> - The certificate provided cannot be used with the selected key
> exchange algorithm.)
> 
> This is configured by ipaserver/install/dsinstance.py under def __enable_ssl:
> 
>        entry = conn.make_entry(
>             DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
>             objectclass=["top", "nsEncryptionModule"],
>             cn=["RSA"],
>             nsSSLPersonalitySSL=[self.nickname],
>             nsSSLToken=["internal (software)"],
>             nsSSLActivation=["on"],
>         )
>         conn.add_entry(entry)
> 
> My question is, is it possible to replace RSA with ECDSA here? If so,
> what parameters should I pass to LDAP?

Honza or Ludwig, do you know? This is certainly an uncharted territory, you are
the first person I know about trying to install FreeIPA CA-less with ECC
certificate.

There is a ticket to get ECC support in PKI (i.e. not CA-less), but it was not
completed yet:
https://fedorahosted.org/freeipa/ticket/3951

> 
> If this is fixable, can someone add autodetect of the type of the
> certificate and enable appropriate algorithms in LDAP and Apache?
> 
> Best regards,
> Marat Vyshegorodtsev
>

More information about the Freeipa-users mailing list