[Freeipa-users] IPA with external CA signed certs

Rob Crittenden rcritten at redhat.com
Thu Nov 12 15:21:02 UTC 2015 

James Masson wrote:
>
>
> On 30/10/15 13:52, Rob Crittenden wrote:
>> James Masson wrote:
>>>
>>>
>>> On 26/10/15 16:11, Martin Kosek wrote:
>>>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>>>
>>>>>
>>>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>>>> James Masson wrote:
>>>>>>>
>>>>>>> Hi list,
>>>>>>>
>>>>>>> I successfully have IPA working with CA certs signed by an upstream
>>>>>>> Dogtag.
>>>>>>>
>>>>>>> Now I'm trying to use a CA cert signed by a different type of CA -
>>>>>>> Vault.
>>>>>>>
>>>>>>> Setup fails, using the same 2 step IPA setup process as used with
>>>>>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>>>>>
>>>>>>> Likely, IPA doesn't like the certificate - however, I can't
>>>>>>> pinpoint why.
>>>>>>
>>>>>> I'm guessing you don't include the entire CA certchain of Vault.
>>>>>> Dogtag
>>>>>> is failing to startup because it can't verify its own cert chain:
>>>>>>
>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>> CAPresence:  CA is present
>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>> SystemCertsVerification: system certs verification failure
>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>> SelfTestSubsystem: The CRITICAL self test plugin called
>>>>>> selftests.container.instance.SystemCertsVerification running at
>>>>>> startup
>>>>>> FAILED!
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>>
>>>>> Hi Rob,
>>>>>
>>>>> Thanks for the reply.
>>>>>
>>>>> I do present the IPA installer with both the CA and the IPA cert -
>>>>> the IPAs
>>>>> python-based install code is happy with the cert chain, but the Java
>>>>> based
>>>>> dogtag code chokes on it.
>>>>>
>>>>> OpenSSL is happy with it too.
>>>>>
>>>>> #####
>>>>> [root at foo ~]# openssl verify ipa.crt
>>>>> ipa.crt: O = LOCAL, CN = Certificate Authority
>>>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>>>>
>>>>> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>>>>> ipa.crt: OK
>>>>> ###
>>>>>
>>>>> Any hints on how to reproduce this with more debug output? I'd like
>>>>> to know
>>>>> exactly what Dogtag doesn't like about the certificate.
>>>>>
>>>>> thanks
>>>>>
>>>>> James M
>>>>
>>>> Let me CC at least Jan Ch. and David, they may be able to help and
>>>> should also
>>>> make sure FreeIPA gets better in validating the certs, as appropriate.
>>>>
>>>
>>> Any thoughts guys?
>>
>> I cc'd one of the dogtag guys to see if he knows.
>>
>> You might also try using certutil to validate the certificates, it might
>> give you some hints to what is going on.
>>
>> I'm assuming your certdb (it can vary by version) is in
>> /var/lib/pki/pki-tomcat/alias
>>
>> certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
>> certificates installed. You can verify each one to see what is going on.
>> The -u flag specfies usage. See the certutil man page for a full set of
>> options.
>>
>> For example:
>>
>> # certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
>> cert-pki-ca'
>> certutil: certificate is valid
>>
>> rob
>>
>
> Hi All,
>
> I've created a ticket to track this
>
> https://fedorahosted.org/pki/ticket/1697
>
> Rob - certutil output:
>
> Some certificates types seem not to be approved. Not sure if this is a
> red herring.
>
> ##############
> [root at foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias
>
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> root.com                                                     CT,c,
> ocspSigningCert cert-pki-ca                                  u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> Server-Cert cert-pki-ca                                      u,u,u
> auditSigningCert cert-pki-ca                                 u,u,Pu
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca'
> certutil: certificate is valid
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'root.com'
> certutil: certificate is invalid: Certificate type not approved for
> application.
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'ocspSigningCert cert-pki-ca'
> certutil: certificate is invalid: Certificate type not approved for
> application.
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'subsystemCert cert-pki-ca'
> certutil: certificate is valid
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'Server-Cert cert-pki-ca'
> certutil: certificate is invalid: Certificate type not approved for
> application.
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'auditSigningCert cert-pki-ca'
> certutil: certificate is valid
> #############

That's why I pointed you to the certutil man page to find out the 
differnet usages to test. The C usage is SSL client usage. Depending on 
the cert the usage may be different.

rob

More information about the Freeipa-users mailing list