[Freeipa-users] IPA with external CA signed certs
James Masson
james.masson at jmips.co.uk
Thu Nov 12 15:50:09 UTC 2015
On 12/11/15 15:21, Rob Crittenden wrote:
> James Masson wrote:
>>
>>
>> On 30/10/15 13:52, Rob Crittenden wrote:
>>> James Masson wrote:
>>>>
>>>>
>>>> On 26/10/15 16:11, Martin Kosek wrote:
>>>>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>>>>
>>>>>>
>>>>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>>>>> James Masson wrote:
>>>>>>>>
>>>>>>>> Hi list,
>>>>>>>>
>>>>>>>> I successfully have IPA working with CA certs signed by an upstream
>>>>>>>> Dogtag.
>>>>>>>>
>>>>>>>> Now I'm trying to use a CA cert signed by a different type of CA -
>>>>>>>> Vault.
>>>>>>>>
>>>>>>>> Setup fails, using the same 2 step IPA setup process as used with
>>>>>>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>>>>>>
>>>>>>>> Likely, IPA doesn't like the certificate - however, I can't
>>>>>>>> pinpoint why.
>>>>>>>
>>>>>>> I'm guessing you don't include the entire CA certchain of Vault.
>>>>>>> Dogtag
>>>>>>> is failing to startup because it can't verify its own cert chain:
>>>>>>>
>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>> CAPresence: CA is present
>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>> SystemCertsVerification: system certs verification failure
>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>> SelfTestSubsystem: The CRITICAL self test plugin called
>>>>>>> selftests.container.instance.SystemCertsVerification running at
>>>>>>> startup
>>>>>>> FAILED!
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi Rob,
>>>>>>
>>>>>> Thanks for the reply.
>>>>>>
>>>>>> I do present the IPA installer with both the CA and the IPA cert -
>>>>>> the IPAs
>>>>>> python-based install code is happy with the cert chain, but the Java
>>>>>> based
>>>>>> dogtag code chokes on it.
>>>>>>
>>>>>> OpenSSL is happy with it too.
>>>>>>
>>>>>> #####
>>>>>> [root at foo ~]# openssl verify ipa.crt
>>>>>> ipa.crt: O = LOCAL, CN = Certificate Authority
>>>>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>>>>>
>>>>>> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>>>>>> ipa.crt: OK
>>>>>> ###
>>>>>>
>>>>>> Any hints on how to reproduce this with more debug output? I'd like
>>>>>> to know
>>>>>> exactly what Dogtag doesn't like about the certificate.
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> James M
>>>>>
>>>>> Let me CC at least Jan Ch. and David, they may be able to help and
>>>>> should also
>>>>> make sure FreeIPA gets better in validating the certs, as appropriate.
>>>>>
>>>>
>>>> Any thoughts guys?
>>>
>>> I cc'd one of the dogtag guys to see if he knows.
>>>
>>> You might also try using certutil to validate the certificates, it might
>>> give you some hints to what is going on.
>>>
>>> I'm assuming your certdb (it can vary by version) is in
>>> /var/lib/pki/pki-tomcat/alias
>>>
>>> certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
>>> certificates installed. You can verify each one to see what is going on.
>>> The -u flag specfies usage. See the certutil man page for a full set of
>>> options.
>>>
>>> For example:
>>>
>>> # certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
>>> cert-pki-ca'
>>> certutil: certificate is valid
>>>
>>> rob
>>>
>>
>> Hi All,
>>
>> I've created a ticket to track this
>>
>> https://fedorahosted.org/pki/ticket/1697
>>
>> Rob - certutil output:
>>
>> Some certificates types seem not to be approved. Not sure if this is a
>> red herring.
>>
>> ##############
>> [root at foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> root.com CT,c,
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>> Server-Cert cert-pki-ca u,u,u
>> auditSigningCert cert-pki-ca u,u,Pu
>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>> 'caSigningCert cert-pki-ca'
>> certutil: certificate is valid
>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>> 'root.com'
>> certutil: certificate is invalid: Certificate type not approved for
>> application.
>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>> 'ocspSigningCert cert-pki-ca'
>> certutil: certificate is invalid: Certificate type not approved for
>> application.
>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>> 'subsystemCert cert-pki-ca'
>> certutil: certificate is valid
>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>> 'Server-Cert cert-pki-ca'
>> certutil: certificate is invalid: Certificate type not approved for
>> application.
>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>> 'auditSigningCert cert-pki-ca'
>> certutil: certificate is valid
>> #############
>
> That's why I pointed you to the certutil man page to find out the
> differnet usages to test. The C usage is SSL client usage. Depending on
> the cert the usage may be different.
>
> rob
Missed that. Here are those commands again with different certusage checking
In short, they're all superficially valid.
##########
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is valid
[root at foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u V -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u V -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u J -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
####
However, the debug logs seem to indicate the 'caSigningCert cert-pki-ca'
is the one it has problems with.
####
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=signing
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByTag(signing)
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(caSigningCert cert-pki-ca,SSLCA)
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed: caSigningCert cert-pki-ca
[12/Nov/2015:12:41:35][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert
cert-pki-ca] CIMC certificate verification
#########
But further checking seems to indicate the cert passes the relevant
checks ( Y A L )
######
[root at foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u A -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u L -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
#####
regards
James M
More information about the Freeipa-users
mailing list