[Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!
Peter Pakos
peter at pakos.uk
Wed Jul 20 21:26:08 UTC 2016
Hi,
We moved our CA-less FreeIPA install into production only few days ago and
today I've noticed some problem with certificates.
This is FreeIPA 4.2 installation on Centos 7.2.
I've installed the first node with the following command:
ipa-server-install \
-U \
-r $REALM \
-n $DOMAIN \
-p $PASSWD \
-a $PASSWD \
--mkhomedir \
--setup-dns \
--no-forwarders \
--no-dnssec-validation \
--idstart=1100 \
--dirsrv-cert-file=${CERT_FILE} \
--dirsrv-cert-name=${CERT_NAME} \
--http-cert-file=${CERT_FILE} \
--http-cert-name=${CERT_NAME} \
--dirsrv-pin='' \
--http-pin=''
The ${CERT_FILE} was in PKCS12 format and it included the whole certificate
chain (AddTrustExternalCARoot.pem -> USERTrustRSACA.pem ->
GandiStandardSSLCA2.pem -> star.ipa.wandisco.com.crt):
$ openssl verify -verbose -CAfile <(cat AddTrustExternalCARoot.pem
USERTrustRSACA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK
Today I've noticed that the /etc/ipa/ca.crt file is not the same across all
nodes and I've attempted to fix it by running ipa-certupdate.
Now, instead of 3 CA certificates in /etc/ipa/ca.crt I can see 5
certificates (the last 2 are the same). To investigate this, I've split
ca.cert into 5 separate files cert1-5:
[root at shdc01 temp]# for i in {1..5}; do echo cert${i}; openssl x509
-in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP
Network, CN=AddTrust External CA Root
cert2
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert3
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
cert4
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert5
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
As you can see, cert4 and cert5 are equal yet listed twice and they are
completely different to cert3 - the one from the certificate chain supplied
by SSL provider.
As per our previous conversation with Jan Cholasta, cert4/5 must have been
added (by ipa-certupdate?) from certificates available on the server
(ca-certificates package?).
So now, we ended up with having "USERTrust RSA Certification Authority -
AddTrust AB" listed twice - one of them is correct (from the chain), the
other one is incorrect:
[root at shdc01 ~]# certutil -L -d /etc/pki/nssdb/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
AddTrust External CA Root - AddTrust AB ,,
USERTrust RSA Certification Authority - AddTrust AB ,,
Gandi Standard SSL CA 2 - The USERTRUST Network C,,
USERTrust RSA Certification Authority - AddTrust AB ,,
[root at shdc01 ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
GandiWildcardIPA u,u,u
AddTrust External CA Root - AddTrust AB ,,
USERTrust RSA Certification Authority - AddTrust AB ,,
Gandi Standard SSL CA 2 - The USERTRUST Network C,,
USERTrust RSA Certification Authority - AddTrust AB ,,
[root at shdc01 ~]# certutil -L -d /etc/pki/nssdb/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
USERTrust RSA Certification Authority - AddTrust AB ,,
AddTrust External CA Root - AddTrust AB ,,
USERTrust RSA Certification Authority - AddTrust AB ,,
Gandi Standard SSL CA 2 - The USERTRUST Network C,,
Now, if I try to query FreeIPA's LDAP directory (for example using
ldapsearch), I get the following errors:
TLS: during handshake: peer cert is valid, or was ignored if verification
disabled (-9841)
TLS: during handshake: Peer certificate is not trusted:
kSecTrustResultRecoverableTrustFailure
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).
We can clearly see that the certificate chain advertised by the server is
not correct hence it's failing SSL handshake:
$ openssl s_client -connect shdc01.ipa.wandisco.com:636
CONNECTED(00000003)
depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.
ipa.wandisco.com
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
Please correct me if I'm wrong, but I think that in order to fix this we
will need to remove the incorrectly added certificate "USERTrust RSA
Certification Authority - AddTrust AB", but which one since there 2 with
exactly the same nickname?
I haven't made any further changes to any of the servers as I would like to
get your input first.
Please get back to me as soon as possible, it is very important for us to
recover from this state in a timely manner.
I'm available on #freeipa under nickname peterpakos.
Thanks in advance for your help.
--
Kind regards,
Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160720/39b91be2/attachment.htm>
More information about the Freeipa-users
mailing list