Re: [Freeipa-users] Public CA signed Certificate import failure

Tue, 21 Jul 2009 12:06:39 -0700 

James Roman wrote:

James Roman wrote:

Rob Crittenden wrote:

James Roman wrote:

Rob Crittenden wrote:

James Roman wrote:
First off, thanks Rob for the direction on creating a certificate. After reading up on Mozilla's NSS, I think I've got a pretty fair grounding. 


So I successfully generated a CSR and had it signed. I imported my 
certificate and CA chain into the NSS database and exported it to 
a PKCS12 cert. I am primarily concerned with using the public cert 
on the HTTP interface. However, when I go to import it using 
ipa-server-certificate, it chokes on the names in the CA 
certificate chain. (One of the certs uses full website address for 
the name.) I can manually import each of the certificates in the 
CA chain using certutil on the /etc/httpd/alias directory.



What do you mean by choke? Do you have a python backtrace or can 
you send me the ipaserver-install.log?

Here is what I get when importing the p12 file using 
"ipa-server-certinstall". The reasons for the errors are fairly 
self-evident when you see how it parses the command line arguments.



# ipa-server-certinstall -w 
/data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx 
--http_pin='mysecretpin'
an unexpected error occurred: Command '/usr/bin/certutil -d 
/etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" 
[OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, 
Inc. -t CT,CT,' returned non-zero exit status 255

Traceback (most recent call last):
 File "/usr/sbin/ipa-server-certinstall", line 137, in main

   server_cert = import_cert(dirname, pkcs12_fname, 
options.http_pin, "")

 File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
   cdb.trust_root_cert(server_cert[0])

 File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 
322, in trust_root_cert

   "-t", "CT,CT,"])

 File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 
126, in run_certutil

   return ipautil.run(new_args, stdin)

 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in 
run

   raise CalledProcessError(p.returncode, ' '.join(args))

CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias 
-M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 
Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' 
returned non-zero exit status 255


I'm left with most of the certificate chain


Ok, we shouldn't need to mess with builtin CAs at all.

Can you file a bug on this?

In the meantime, this patch should fix things for you:


diff --git a/ipa-server/ipaserver/certs.py 
b/ipa-server/ipaserver/certs.py

index 8cb1d08..610ca1d 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -318,8 +318,9 @@ class CertDB(object):
     def trust_root_cert(self, nickname):
         root_nickname = self.find_root_cert(nickname)

-        self.run_certutil(["-M", "-n", root_nickname,
-                           "-t", "CT,CT,"])

+        if root_nickname is not None and root_nickname[:7] != 
"Builtin":

+            self.run_certutil(["-M", "-n", root_nickname,
+                               "-t", "CT,CT,"])

     def find_server_certs(self):
         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,


If you are careful you should be able to modify, as root, the IPA 
python source. You'll find it in 
/usr/lib/python2.5/site-packages/ipaserver/certs.py


Indentation matters in python so be sure to apply this exactly.

rob

Well it worked partly. I was able to successfully import the 
certificate for the webserver. It did not set the trust attributes on 
the CA certificates (perhaps that was the point). If I run the command 
to import the certificate for the directory server, it fails on a 
different part of the CA chain now.



# ipa-server-certinstall -d 
/data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx 
--dirsrv_pin='mysecretpin'

Directory Manager password:

an unexpected error occurred: Command '/usr/bin/certutil -d 
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" 
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2 
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned 
non-zero exit status 255

Traceback (most recent call last):
 File "/usr/sbin/ipa-server-certinstall", line 132, in main

   server_cert = import_cert(dirname, pkcs12_fname, 
options.dirsrv_pin, passwd)

 File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
   cdb.trust_root_cert(server_cert[0])

 File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325, 
in trust_root_cert

   "-t", "CT,CT,"])

 File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, 
in run_certutil

   return ipautil.run(new_args, stdin)
 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))

CalledProcessError: Command '/usr/bin/certutil -d 
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" 
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2 
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned 
non-zero exit status 255



_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Looking into this  a bit closer, my best guess is that the problem 
really exists in the find_root_cert routine. If I manually run certutil 
-O on my server certificate, I get:



"valicert.com" 
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2 
Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation 
Network]



 "Go Daddy Class 2 Certification Authority" [OU=Go Daddy Class 2 
Certification Authority,O="The Go Daddy Group, Inc.",C=US]



   "Go Daddy Secure Certification Authority" 
[serialNumber=07969287,CN=Go Daddy Secure Certification 
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US]



     "servername server-cert" [CN=servername.realm.com,OU=Domain Control 
Validated,O=servername.realm.com]



It looks like it is choking on the quotes around the organization name. 
Does this routine really need to return the part between the square 
brackets? From what i've seen thus far, it does not look like the 
Distinguished Name is required for certificate management. Can the 
string just be chopped off after the friendly name?



I think you're onto something there. Python's re module doesn't count 
quotes so it looks like it is taking everything between the first quote 
and the last one. If I'm reading the backtrace properly, for example, it 
looks like it is dropping the C=US which is outside the last set of quotes.



I think that adding in a more precise match will fix in. In some quickie 
unit tests this seems to work:


--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -311,15 +311,16 @@ class CertDB(object):
         chain = p.stdout.read()
         chain = chain.split("\n")

-        root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0]
+        root_nickname = re.match('\ *"(.*) \[".*', chain[0]).groups()[0]

Can you give this a try?



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users





















					Reply via email to