[Freeipa-users] ipa-getcert list fails to report correctly

Les Stott Less at imagine-sw.com
Mon Feb 23 01:18:28 UTC 2015 


> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Saturday, 21 February 2015 1:39 AM
> To: Martin Kosek; Les Stott; freeipa-users at redhat.com; Endi Dewata; Jan
> Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
> 
> Martin Kosek wrote:
> > On 02/20/2015 06:56 AM, Les Stott wrote:
> >> Hi all,
> >>
> >> The following is blocking the ability for me to install a CA replica.
> >>
> >> Environment:
> >>
> >> RHEL 6.6
> >>
> >> IPA 3.0.0-42
> >>
> >> PKI 9.0.3-38
> >>
> >> On the master the following is happening:
> >>
> >> ipa-getcert list
> >>
> >> Number of certificates and requests being tracked: 5.
> >>
> >> (but it shows no certificate details in the output)
> >>
> >> Running "getcert list" shows complete output.
> >>
> >> Also, when trying to browse
> >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> >> response. The apache error logs on the master show....
> >>
> >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> >> client cannot verify your certificate
> >>
> >> The reason I am trying to browse that address is because that's what
> >> the ipa-ca-install setup is failing at (it complains that the CA
> >> certificate is not in proper format, in fact it's not able to get it
> >> at all).
> >>
> >> I know from another working ipa setup that ....
> >>
> >> Browsing to the above address provides valid xml content and
> >> ipa-getcert list shows certificate details and not just the number of
> >> tracked certificates.
> >>
> >> Been trying for a long time to figure out the issues without luck.
> >>
> >> I would greatly appreciate any help to troubleshoot and resolve the
> >> above issues.
> >>
> >> Regards,
> >>
> >> Les
> >
> > Endi or JanC, would you have any advise for Les? To me, it looks like
> > the Apache does not have proper certificate installed.
> >
> > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in
> > total of 8 certs tracked:
> >
> > # ipa-getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20141111000002':
> >     status: MONITORING
> >     stuck: no
> >     key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> COM',nicknam
> > e='Server-Cert',token='NSS
> > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> >     certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> COM',nicknam
> > e='Server-Cert',token='NSS
> > Certificate DB'
> >     CA: IPA
> >     issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >     subject: CN=vm-086.example.com,O=EXAMPLE.COM
> >     expires: 2016-11-11 00:00:01 UTC
> >     key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >     eku: id-kp-serverAuth,id-kp-clientAuth
> >     pre-save command:
> >     post-save command:
> >     track: yes
> >     auto-renew: yes
> > Request ID '20141111000047':
> >     status: MONITORING
> >     stuck: no
> >     key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > ,token='NSS Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> >     certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > ,token='NSS
> > Certificate DB'
> >     CA: IPA
> >     issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >     subject: CN=vm-086.example.com,O=EXAMPLE.COM
> >     expires: 2016-11-11 00:00:46 UTC
> >     key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >     eku: id-kp-serverAuth,id-kp-clientAuth
> >     pre-save command:
> >     post-save command:
> >     track: yes
> >     auto-renew: yes
> > Request ID '20141111000302':
> >     status: MONITORING
> >     stuck: no
> >     key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> > SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >     certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> > SS
> > Certificate DB'
> >     CA: IPA
> >     issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >     subject: CN=vm-086.example.com,O=EXAMPLE.COM
> >     expires: 2016-11-11 00:03:02 UTC
> >     key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >     eku: id-kp-serverAuth,id-kp-clientAuth
> >     pre-save command:
> >     post-save command:
> >     track: yes
> >     auto-renew: yes
> >
> >
> > What is actually in your Apache NSS database?
> >
> > # certutil -L -d /etc/httpd/alias/
> >
> > Martin
> >
> 
> Remember ipa-getcert is just a shortcut for certificates using the certmonger
> CA named IPA, so it's more a filter than anything else. I don't know why it
> wouldn't display any output but I'd file a bug.
> 
> I think we'd need to see the getcert list output to try to figure out what is
> going on.
> 
> As for the SSL error fetching the cert chain I think Martin may be onto
> something. The request is proxied through Apache. I think the client here
> might be the Apache proxy client.
> 
> I believe this command replicates what Apache is doing, you might give it a
> try on the master. This will get the chain directly from dogtag, bypassing
> Apache:
> 
> $ curl -v --cacert /etc/ipa/ca.crt
> https://`hostname`:9444/ca/ee/ca/getCertChain
> 
> rob

Certutil shows....

certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

MYDOMAIN.COM IPA CA                                       CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u
Server-Cert                                                  u,u,u

curl -v --cacert /etc/ipa/ca.crt https://`hostname`:9444/ca/ee/ca/getCertChain
* About to connect() to `hostname` port 9444 (#0)
*   Trying 192.168.1.1... connected
* Connected to `hostname` (192.168.1.1) port 9444 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
*       subject: CN=`hostname`,O=MYDOMAIN.COM
*       start date: Dec 13 01:21:30 2013 GMT
*       expire date: Dec 03 01:21:30 2015 GMT
*       common name: `hostname`
*       issuer: CN=Certificate Authority,O=MYDOMAIN.COM
> GET /ca/ee/ca/getCertChain HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: `hostname`:9444
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: application/xml
< Content-Length: 1434
< Date: Mon, 23 Feb 2015 01:04:29 GMT
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><ChainBase64>MIIDzwYJKoZIhvcNAQcCoIIDwDCCA7wCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIDoDCCA5wwggKEoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwOjEYMBYGA1UEChMPREVSSVZBVElWRVMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMxMjEzMDEyMTI5WhcNMzMxMjEzMDEyMTI5WjA6MRgwFgYDVQQKEw9ERVJJVkFUSVZFUy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAA8EaYhmpjSA8o3/1kB/W1+0K6+FrwCS+njOgRtXhiTdmtSddXSDVxHOafFwqN26BR+QRPZbbpJY70gP3SG8W+J6+c37PMVNshWz6UfChGt6ubgFxlSTGUUre2Osr9I4C836MXpGJvRx2VDEuMUxv8j7B9iDRnTDglseqPqrMct2No4wk4cLtA9puBJb0Es76SOHP9edXlf6GBnuYwR8YMc1yJLqpP8IGpHhEkVxMsRpqkEpuuRwEFa7uBcTDhqVV24BpFlseZVubpiOdEgfb3IRBTjvI1Mum9OCJbuj9P/WmqMnrA0sQsmF/R3WBwFdMAsN3+bQCRw73+rwoeDNcCAwEAAaOBrDCBqTAfBgNVHSMEGDAWgBSO8J+j2jAuyg3a0yE+3oVCQJCWUTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUjvCfo9owLsoN2tMhPt6FQkCQllEwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vc2IybW9uMDEuZGVyaXZhdGl2ZXMuY29tOjgwL2* Connection #0 to host `hostname` left intact
* Closing connection #0
NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKH8YkoTAzX2xNYMkZSDK84EK3e4FUixdXxc/EC5ehjrtaqXT1KT9Fl9DAF5/jYNKqgmEmtHnPGlfQ7/Y1ESdhEGcBZjU4qLe4HaFXuw5c9odDYxhtjQUd1g7ifY8SKOcHDCY+6Xx6F/rhFgzrXXMndn8ZaYryctPoOAj/5INnLrJq8S4XyLmb2BHM4e1ORQbOhDi8xjhfK2veYXvIu55BrhpRSS/goz5oSE8e+QE/H9afRmeV2+WkS/YDhSyoUDb7CYjklRuONzX3GopKtp1yyLXQZnBFjCvIJvja0mo3ik3AXxSZuOwUIlV23U8CyPU/rDeiV00iUyA/fLvdkEtZkxAA==</ChainBase64></XMLResponse>


In any event, I've decided to rebuilt my DR IPA environment. Late last year the master in DR had to be rebuilt due to a disk issue. While IPA was restored manually and appeared to be working fine, CA replication hasn't worked. I finally got CA replication working in Prod after enabling needed apache modules and performing a yum update to update related packages, but these things didn't help in DR. It's my strong suspicion that something got missed when restoring the DR master IPA server and this is what is causing all my grief. Therefore, I'm going to wipe it out and start from scratch in DR. There are other benefits for me to do this anyway.

Regards,

Les

More information about the Freeipa-users mailing list