[Freeipa-users] IPA with external CA signed certs
Rob Crittenden
rcritten at redhat.com
Thu Nov 12 16:15:09 UTC 2015
James Masson wrote:
>
>
> On 12/11/15 15:21, Rob Crittenden wrote:
>> James Masson wrote:
>>>
>>>
>>> On 30/10/15 13:52, Rob Crittenden wrote:
>>>> James Masson wrote:
>>>>>
>>>>>
>>>>> On 26/10/15 16:11, Martin Kosek wrote:
>>>>>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>>>>>> James Masson wrote:
>>>>>>>>>
>>>>>>>>> Hi list,
>>>>>>>>>
>>>>>>>>> I successfully have IPA working with CA certs signed by an
>>>>>>>>> upstream
>>>>>>>>> Dogtag.
>>>>>>>>>
>>>>>>>>> Now I'm trying to use a CA cert signed by a different type of CA -
>>>>>>>>> Vault.
>>>>>>>>>
>>>>>>>>> Setup fails, using the same 2 step IPA setup process as used with
>>>>>>>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>>>>>>>
>>>>>>>>> Likely, IPA doesn't like the certificate - however, I can't
>>>>>>>>> pinpoint why.
>>>>>>>>
>>>>>>>> I'm guessing you don't include the entire CA certchain of Vault.
>>>>>>>> Dogtag
>>>>>>>> is failing to startup because it can't verify its own cert chain:
>>>>>>>>
>>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>>> CAPresence: CA is present
>>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>>> SystemCertsVerification: system certs verification failure
>>>>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>>>>> SelfTestSubsystem: The CRITICAL self test plugin called
>>>>>>>> selftests.container.instance.SystemCertsVerification running at
>>>>>>>> startup
>>>>>>>> FAILED!
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi Rob,
>>>>>>>
>>>>>>> Thanks for the reply.
>>>>>>>
>>>>>>> I do present the IPA installer with both the CA and the IPA cert -
>>>>>>> the IPAs
>>>>>>> python-based install code is happy with the cert chain, but the Java
>>>>>>> based
>>>>>>> dogtag code chokes on it.
>>>>>>>
>>>>>>> OpenSSL is happy with it too.
>>>>>>>
>>>>>>> #####
>>>>>>> [root at foo ~]# openssl verify ipa.crt
>>>>>>> ipa.crt: O = LOCAL, CN = Certificate Authority
>>>>>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>>>>>>
>>>>>>> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>>>>>>> ipa.crt: OK
>>>>>>> ###
>>>>>>>
>>>>>>> Any hints on how to reproduce this with more debug output? I'd like
>>>>>>> to know
>>>>>>> exactly what Dogtag doesn't like about the certificate.
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>> James M
>>>>>>
>>>>>> Let me CC at least Jan Ch. and David, they may be able to help and
>>>>>> should also
>>>>>> make sure FreeIPA gets better in validating the certs, as
>>>>>> appropriate.
>>>>>>
>>>>>
>>>>> Any thoughts guys?
>>>>
>>>> I cc'd one of the dogtag guys to see if he knows.
>>>>
>>>> You might also try using certutil to validate the certificates, it
>>>> might
>>>> give you some hints to what is going on.
>>>>
>>>> I'm assuming your certdb (it can vary by version) is in
>>>> /var/lib/pki/pki-tomcat/alias
>>>>
>>>> certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
>>>> certificates installed. You can verify each one to see what is going
>>>> on.
>>>> The -u flag specfies usage. See the certutil man page for a full set of
>>>> options.
>>>>
>>>> For example:
>>>>
>>>> # certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>>> 'auditSigningCert
>>>> cert-pki-ca'
>>>> certutil: certificate is valid
>>>>
>>>> rob
>>>>
>>>
>>> Hi All,
>>>
>>> I've created a ticket to track this
>>>
>>> https://fedorahosted.org/pki/ticket/1697
>>>
>>> Rob - certutil output:
>>>
>>> Some certificates types seem not to be approved. Not sure if this is a
>>> red herring.
>>>
>>> ##############
>>> [root at foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>> root.com CT,c,
>>> ocspSigningCert cert-pki-ca u,u,u
>>> subsystemCert cert-pki-ca u,u,u
>>> Server-Cert cert-pki-ca u,u,u
>>> auditSigningCert cert-pki-ca u,u,Pu
>>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>> 'caSigningCert cert-pki-ca'
>>> certutil: certificate is valid
>>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>> 'root.com'
>>> certutil: certificate is invalid: Certificate type not approved for
>>> application.
>>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>> 'ocspSigningCert cert-pki-ca'
>>> certutil: certificate is invalid: Certificate type not approved for
>>> application.
>>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>> 'subsystemCert cert-pki-ca'
>>> certutil: certificate is valid
>>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>> 'Server-Cert cert-pki-ca'
>>> certutil: certificate is invalid: Certificate type not approved for
>>> application.
>>> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
>>> 'auditSigningCert cert-pki-ca'
>>> certutil: certificate is valid
>>> #############
>>
>> That's why I pointed you to the certutil man page to find out the
>> differnet usages to test. The C usage is SSL client usage. Depending on
>> the cert the usage may be different.
>>
>> rob
>
> Missed that. Here are those commands again with different certusage
> checking
>
> In short, they're all superficially valid.
>
> ##########
> [root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca'
> certutil: certificate is valid
>
> [root at foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
> 'root.com'
> certutil: certificate is valid
>
>
> [root at foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n
> 'ocspSigningCert cert-pki-ca'
> certutil: certificate is valid
>
> [root at foo ~]# certutil -V -u V -d /var/lib/pki/pki-tomcat/alias -n
> 'subsystemCert cert-pki-ca'
> certutil: certificate is valid
>
> [root at foo ~]# certutil -V -u V -d /var/lib/pki/pki-tomcat/alias -n
> 'Server-Cert cert-pki-ca'
> certutil: certificate is valid
>
> [root at foo ~]# certutil -V -u J -d /var/lib/pki/pki-tomcat/alias -n
> 'auditSigningCert cert-pki-ca'
> certutil: certificate is valid
> ####
>
>
> However, the debug logs seem to indicate the 'caSigningCert cert-pki-ca'
> is the one it has problems with.
>
> ####
> [12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
> verifySystemCerts() cert tag=signing
> [12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
> verifySystemCertByTag(signing)
> [12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
> verifySystemCertByNickname(caSigningCert cert-pki-ca,SSLCA)
> [12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
> verifySystemCertByNickname(): calling isCertValid()
> [12/Nov/2015:12:41:35][localhost-startStop-1]: CertUtils:
> verifySystemCertByNickname() failed: caSigningCert cert-pki-ca
> [12/Nov/2015:12:41:35][localhost-startStop-1]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Failure][CertNickName=caSigningCert
> cert-pki-ca] CIMC certificate verification
> #########
>
> But further checking seems to indicate the cert passes the relevant
> checks ( Y A L )
>
> ######
> [root at foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca'
> certutil: certificate is valid
> [root at foo ~]# certutil -V -u A -d /var/lib/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca'
> certutil: certificate is valid
> [root at foo ~]# certutil -V -u L -d /var/lib/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca'
> certutil: certificate is valid
> #####
>
Ok, yeah, we'll need to wait for the dogtag guys to chime in here or on
the ticket. Note that validity also depends on valid to/from dates so
you might check that too, but it's a stretch to suggest that's the problem.
rob
More information about the Freeipa-users
mailing list