[Freeipa-users] DNS SubjectAltName missing in provisioned certificates - private files
martin at stefany.eu
martin at stefany.eu
Thu Mar 31 11:51:27 UTC 2016
On 2016-03-31 11:56, Fraser Tweedale wrote:
> On Thu, Mar 31, 2016 at 09:49:20AM +0200, Martin Štefany wrote:
>> Hello Fraser,
>>
>> here are the files for real, thank you for help.
>>
>> Martin
>>
> Thanks Martin,
>
> So what appears to have happened is somehow the default profile
> `caIPAserviceCert`, which is shipped with Dogtag, was imported into
> LDAP instead of the version shipped with IPA. I do not know how
> this might have occurred - it will help to know the history of your
> installation e.g. was it a fresh install, upgrade from a Centos/RHEL
> 7.1, migration (ipa-replica-install) of an earlier version, etc.
>
> In any case, how to resolve? You can import a corrected version of
> the profile. I have attached an example config, but you should
> check it to make sure it is what you want; in particular check the
> following values:
>
>
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> O=EXAMPLE.COM
>
>
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp
>
>
> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
>
>
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate
> Authority,o=ipaca
>
> You can update the profile with the new profile data by executing:
>
> ipa certprofile-mod caIPAserviceCert
> --file=/path/to/caIPAserviceCert.cfg
>
> Hopefully this fixes the issue.
>
> A fallback suggestion: if the above command fails, and if `ipa
> certprofile-find` shows no objects, then you may be able to resolve
> the issue by setting, in `/etc/pki/pki-tomcat/ca/CS.cfg`:
>
> subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem
>
> and then running `ipa-server-upgrade` manually.
>
> I am on PTO tomorrow but look forward to learning on Monday how you
> fared. Others may be able to help in the meantime.
>
> Cheers,
> Fraser
Hello Fraser,
yes, that solves the issue. 'ipa certprofile-mod caIPAserviceCert
--file=/path/to/caIPAserviceCert.cfg' was successful, and newly issued
certificate is with correct attributes as before.
# ipa-getcert request -k /etc/pki/tls/private/http.key -f
/etc/pki/tls/certs/http.pem -N CN=$(hostname -f) -D $(hostname -f) -D
www.example.com -K HTTP/$(hostname -f)
# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160331113029':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/http.key'
certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=http2.example.com,O=EXAMPLE.COM
expires: 2018-04-01 11:30:33 UTC
dns: http2.example.com,www.example.com
principal name: HTTP/http2.example.com at EXAMPLE.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Great job!
The history would be:
- idmc1 was installed first on CentOS 7.1 as IPA 4.0
- replica file was created from this idmc1 and replica was provisioned
as idmc2 again on CentOS 7.1 as IPA 4.0
- upon release of CentOS 7.2, idmc2 was "yum" upgraded to CentOS 7.2 /
FreeIPA 4.2, everything was OK, so
- idmc1 was "yum" upgraded to CentOS 7.2 / FreeIPA 4.2
- time flies...
- recently I've created another replica file from idmc1 for idmc3 and
replica idmc3 was provisioned on fresh CentOS 7.2 / IPA 4.2,
and this might have been the moment when something got broken. :(
- http1, http2, etc. were provisioned only after idmc3 was deployed
Thank you for the steps! I will also mail you ipa-server install/upgrade
logs from all three systems in separate mail, if you don't mind, to try
to see what exactly happened.
btw, after I executed 'ipa certprofile-mod caIPAserviceCert
--file=/path/to/caIPAserviceCert.cfg', certmonger stopped to see/track
all 'CN=*,OU=pki-ipa,O=IPA' certificates and reported 'Number of
certificates and requests being tracked: 0.', but I was going to
re-provision the certificates anyway.
Enjoy your longer weekend!
Regards,
Martin
More information about the Freeipa-users
mailing list