[Freeipa-users] IPA with external CA signed certs
Rob Crittenden
rcritten at redhat.com
Fri Oct 30 13:52:10 UTC 2015
James Masson wrote:
>
>
> On 26/10/15 16:11, Martin Kosek wrote:
>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>
>>>
>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>> James Masson wrote:
>>>>>
>>>>> Hi list,
>>>>>
>>>>> I successfully have IPA working with CA certs signed by an upstream
>>>>> Dogtag.
>>>>>
>>>>> Now I'm trying to use a CA cert signed by a different type of CA -
>>>>> Vault.
>>>>>
>>>>> Setup fails, using the same 2 step IPA setup process as used with
>>>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>>>
>>>>> Likely, IPA doesn't like the certificate - however, I can't
>>>>> pinpoint why.
>>>>
>>>> I'm guessing you don't include the entire CA certchain of Vault. Dogtag
>>>> is failing to startup because it can't verify its own cert chain:
>>>>
>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>> CAPresence: CA is present
>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>> SystemCertsVerification: system certs verification failure
>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>> SelfTestSubsystem: The CRITICAL self test plugin called
>>>> selftests.container.instance.SystemCertsVerification running at startup
>>>> FAILED!
>>>>
>>>> rob
>>>>
>>>
>>>
>>> Hi Rob,
>>>
>>> Thanks for the reply.
>>>
>>> I do present the IPA installer with both the CA and the IPA cert -
>>> the IPAs
>>> python-based install code is happy with the cert chain, but the Java
>>> based
>>> dogtag code chokes on it.
>>>
>>> OpenSSL is happy with it too.
>>>
>>> #####
>>> [root at foo ~]# openssl verify ipa.crt
>>> ipa.crt: O = LOCAL, CN = Certificate Authority
>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>>
>>> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>>> ipa.crt: OK
>>> ###
>>>
>>> Any hints on how to reproduce this with more debug output? I'd like
>>> to know
>>> exactly what Dogtag doesn't like about the certificate.
>>>
>>> thanks
>>>
>>> James M
>>
>> Let me CC at least Jan Ch. and David, they may be able to help and
>> should also
>> make sure FreeIPA gets better in validating the certs, as appropriate.
>>
>
> Any thoughts guys?
I cc'd one of the dogtag guys to see if he knows.
You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.
I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias
certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.
For example:
# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid
rob
More information about the Freeipa-users
mailing list