[Freeipa-users] Public CA signed Certificate import failure
Rob Crittenden
rcritten at redhat.com
Tue Jul 21 19:06:31 UTC 2009
James Roman wrote:
> James Roman wrote:
>> Rob Crittenden wrote:
>>> James Roman wrote:
>>>> Rob Crittenden wrote:
>>>>> James Roman wrote:
>>>>>> First off, thanks Rob for the direction on creating a certificate.
>>>>>> After reading up on Mozilla's NSS, I think I've got a pretty fair
>>>>>> grounding.
>>>>>>
>>>>>> So I successfully generated a CSR and had it signed. I imported my
>>>>>> certificate and CA chain into the NSS database and exported it to
>>>>>> a PKCS12 cert. I am primarily concerned with using the public cert
>>>>>> on the HTTP interface. However, when I go to import it using
>>>>>> ipa-server-certificate, it chokes on the names in the CA
>>>>>> certificate chain. (One of the certs uses full website address for
>>>>>> the name.) I can manually import each of the certificates in the
>>>>>> CA chain using certutil on the /etc/httpd/alias directory.
>>>>>
>>>>> What do you mean by choke? Do you have a python backtrace or can
>>>>> you send me the ipaserver-install.log?
>>>> Here is what I get when importing the p12 file using
>>>> "ipa-server-certinstall". The reasons for the errors are fairly
>>>> self-evident when you see how it parses the command line arguments.
>>>>
>>>> # ipa-server-certinstall -w
>>>> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx
>>>> --http_pin='mysecretpin'
>>>> an unexpected error occurred: Command '/usr/bin/certutil -d
>>>> /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA"
>>>> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group,
>>>> Inc. -t CT,CT,' returned non-zero exit status 255
>>>> Traceback (most recent call last):
>>>> File "/usr/sbin/ipa-server-certinstall", line 137, in main
>>>> server_cert = import_cert(dirname, pkcs12_fname,
>>>> options.http_pin, "")
>>>> File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
>>>> cdb.trust_root_cert(server_cert[0])
>>>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
>>>> 322, in trust_root_cert
>>>> "-t", "CT,CT,"])
>>>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
>>>> 126, in run_certutil
>>>> return ipautil.run(new_args, stdin)
>>>> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in
>>>> run
>>>> raise CalledProcessError(p.returncode, ' '.join(args))
>>>> CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias
>>>> -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2
>>>> Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,'
>>>> returned non-zero exit status 255
>>>>
>>>> I'm left with most of the certificate chain
>>>
>>> Ok, we shouldn't need to mess with builtin CAs at all.
>>>
>>> Can you file a bug on this?
>>>
>>> In the meantime, this patch should fix things for you:
>>>
>>> diff --git a/ipa-server/ipaserver/certs.py
>>> b/ipa-server/ipaserver/certs.py
>>> index 8cb1d08..610ca1d 100644
>>> --- a/ipa-server/ipaserver/certs.py
>>> +++ b/ipa-server/ipaserver/certs.py
>>> @@ -318,8 +318,9 @@ class CertDB(object):
>>> def trust_root_cert(self, nickname):
>>> root_nickname = self.find_root_cert(nickname)
>>>
>>> - self.run_certutil(["-M", "-n", root_nickname,
>>> - "-t", "CT,CT,"])
>>> + if root_nickname is not None and root_nickname[:7] !=
>>> "Builtin":
>>> + self.run_certutil(["-M", "-n", root_nickname,
>>> + "-t", "CT,CT,"])
>>>
>>> def find_server_certs(self):
>>> p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
>>>
>>> If you are careful you should be able to modify, as root, the IPA
>>> python source. You'll find it in
>>> /usr/lib/python2.5/site-packages/ipaserver/certs.py
>>>
>>> Indentation matters in python so be sure to apply this exactly.
>>>
>>> rob
>> Well it worked partly. I was able to successfully import the
>> certificate for the webserver. It did not set the trust attributes on
>> the CA certificates (perhaps that was the point). If I run the command
>> to import the certificate for the directory server, it fails on a
>> different part of the CA chain now.
>>
>> # ipa-server-certinstall -d
>> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx
>> --dirsrv_pin='mysecretpin'
>> Directory Manager password:
>> an unexpected error occurred: Command '/usr/bin/certutil -d
>> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
>> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
>> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
>> non-zero exit status 255
>> Traceback (most recent call last):
>> File "/usr/sbin/ipa-server-certinstall", line 132, in main
>> server_cert = import_cert(dirname, pkcs12_fname,
>> options.dirsrv_pin, passwd)
>> File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
>> cdb.trust_root_cert(server_cert[0])
>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325,
>> in trust_root_cert
>> "-t", "CT,CT,"])
>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126,
>> in run_certutil
>> return ipautil.run(new_args, stdin)
>> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
>> raise CalledProcessError(p.returncode, ' '.join(args))
>> CalledProcessError: Command '/usr/bin/certutil -d
>> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
>> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
>> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
>> non-zero exit status 255
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Looking into this a bit closer, my best guess is that the problem
> really exists in the find_root_cert routine. If I manually run certutil
> -O on my server certificate, I get:
>
> "valicert.com"
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation
> Network]
>
> "Go Daddy Class 2 Certification Authority" [OU=Go Daddy Class 2
> Certification Authority,O="The Go Daddy Group, Inc.",C=US]
>
> "Go Daddy Secure Certification Authority"
> [serialNumber=07969287,CN=Go Daddy Secure Certification
> Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US]
>
> "servername server-cert" [CN=servername.realm.com,OU=Domain Control
> Validated,O=servername.realm.com]
>
> It looks like it is choking on the quotes around the organization name.
> Does this routine really need to return the part between the square
> brackets? From what i've seen thus far, it does not look like the
> Distinguished Name is required for certificate management. Can the
> string just be chopped off after the friendly name?
I think you're onto something there. Python's re module doesn't count
quotes so it looks like it is taking everything between the first quote
and the last one. If I'm reading the backtrace properly, for example, it
looks like it is dropping the C=US which is outside the last set of quotes.
I think that adding in a more precise match will fix in. In some quickie
unit tests this seems to work:
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -311,15 +311,16 @@ class CertDB(object):
chain = p.stdout.read()
chain = chain.split("\n")
- root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0]
+ root_nickname = re.match('\ *"(.*) \[".*', chain[0]).groups()[0]
Can you give this a try?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090721/e826dc51/attachment.bin>
More information about the Freeipa-users
mailing list