Rob Crittenden wrote:
James Roman wrote:
Rob Crittenden wrote:
James Roman wrote:
First off, thanks Rob for the direction on creating a certificate.
After reading up on Mozilla's NSS, I think I've got a pretty fair
grounding.
So I successfully generated a CSR and had it signed. I imported my
certificate and CA chain into the NSS database and exported it to a
PKCS12 cert. I am primarily concerned with using the public cert on
the HTTP interface. However, when I go to import it using
ipa-server-certificate, it chokes on the names in the CA
certificate chain. (One of the certs uses full website address for
the name.) I can manually import each of the certificates in the CA
chain using certutil on the /etc/httpd/alias directory.
What do you mean by choke? Do you have a python backtrace or can you
send me the ipaserver-install.log?
Here is what I get when importing the p12 file using
"ipa-server-certinstall". The reasons for the errors are fairly
self-evident when you see how it parses the command line arguments.
# ipa-server-certinstall -w
/data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx
--http_pin='mysecretpin'
an unexpected error occurred: Command '/usr/bin/certutil -d
/etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA"
[OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group,
Inc. -t CT,CT,' returned non-zero exit status 255
Traceback (most recent call last):
File "/usr/sbin/ipa-server-certinstall", line 137, in main
server_cert = import_cert(dirname, pkcs12_fname, options.http_pin,
"")
File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
cdb.trust_root_cert(server_cert[0])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
322, in trust_root_cert
"-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
126, in run_certutil
return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
raise CalledProcessError(p.returncode, ' '.join(args))
CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M
-n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2
Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,'
returned non-zero exit status 255
I'm left with most of the certificate chain
Ok, we shouldn't need to mess with builtin CAs at all.
Can you file a bug on this?
In the meantime, this patch should fix things for you:
diff --git a/ipa-server/ipaserver/certs.py
b/ipa-server/ipaserver/certs.py
index 8cb1d08..610ca1d 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -318,8 +318,9 @@ class CertDB(object):
def trust_root_cert(self, nickname):
root_nickname = self.find_root_cert(nickname)
- self.run_certutil(["-M", "-n", root_nickname,
- "-t", "CT,CT,"])
+ if root_nickname is not None and root_nickname[:7] != "Builtin":
+ self.run_certutil(["-M", "-n", root_nickname,
+ "-t", "CT,CT,"])
def find_server_certs(self):
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
If you are careful you should be able to modify, as root, the IPA
python source. You'll find it in
/usr/lib/python2.5/site-packages/ipaserver/certs.py
Indentation matters in python so be sure to apply this exactly.
rob
Well it worked partly. I was able to successfully import the certificate
for the webserver. It did not set the trust attributes on the CA
certificates (perhaps that was the point). If I run the command to
import the certificate for the directory server, it fails on a different
part of the CA chain now.
# ipa-server-certinstall -d
/data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx
--dirsrv_pin='mysecretpin'
Directory Manager password:
an unexpected error occurred: Command '/usr/bin/certutil -d
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
non-zero exit status 255
Traceback (most recent call last):
File "/usr/sbin/ipa-server-certinstall", line 132, in main
server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin,
passwd)
File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
cdb.trust_root_cert(server_cert[0])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325,
in trust_root_cert
"-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126,
in run_certutil
return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
raise CalledProcessError(p.returncode, ' '.join(args))
CalledProcessError: Command '/usr/bin/certutil -d
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
non-zero exit status 255
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
