Re: [Freeipa-users] Public CA signed Certificate import failure

[Rob Crittenden]

James Roman wrote:

Rob Crittenden wrote:

James Roman wrote:

First off, thanks Rob for the direction on creating a certificate. After reading up on Mozilla's NSS, I think I've got a pretty fair grounding.

So I successfully generated a CSR and had it signed. I imported my certificate and CA chain into the NSS database and exported it to a PKCS12 cert. I am primarily concerned with using the public cert on the HTTP interface. However, when I go to import it using ipa-server-certificate, it chokes on the names in the CA certificate chain. (One of the certs uses full website address for the name.) I can manually import each of the certificates in the CA chain using certutil on the /etc/httpd/alias directory.

What do you mean by choke? Do you have a python backtrace or can you send me the ipaserver-install.log?

Here is what I get when importing the p12 file using "ipa-server-certinstall". The reasons for the errors are fairly self-evident when you see how it parses the command line arguments.

Traceback (most recent call last):
 File "/usr/sbin/ipa-server-certinstall", line 137, in main
   server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
 File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
   cdb.trust_root_cert(server_cert[0])

   "-t", "CT,CT,"])

   return ipautil.run(new_args, stdin)
 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))


I'm left with most of the certificate chain

# ipa-server-certinstall -w /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx --http_pin='mysecretpin' an unexpected error occurred: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned non-zero exit status 255 File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, in trust_root_cert File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned non-zero exit status 255

Ok, we shouldn't need to mess with builtin CAs at all.

Can you file a bug on this?

In the meantime, this patch should fix things for you:

diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index 8cb1d08..610ca1d 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -318,8 +318,9 @@ class CertDB(object):
     def trust_root_cert(self, nickname):
         root_nickname = self.find_root_cert(nickname)

-        self.run_certutil(["-M", "-n", root_nickname,
-                           "-t", "CT,CT,"])
+        if root_nickname is not None and root_nickname[:7] != "Builtin":
+            self.run_certutil(["-M", "-n", root_nickname,
+                               "-t", "CT,CT,"])

     def find_server_certs(self):
         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,



Indentation matters in python so be sure to apply this exactly.

rob

If you are careful you should be able to modify, as root, the IPA python source. You'll find it in /usr/lib/python2.5/site-packages/ipaserver/certs.py

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users