[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

Thu, 05 Nov 2015 08:36:06 -0800 

Hi!

I've been fighting for the past week with FreeIPA and trying to make
it work with my own CA certificate that is ECDSA_SHA256.

Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work
(basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut.

The command I used is:

ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm
MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE'
--admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended
--no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file
/etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT'
--ca-cert-file /etc/ipa/myownca.pem

In this case, installation fails at the following step:
Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
'/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap'
'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit
status 1

In /var/log/ipaserver-install.log I see a message:
DEBUG stderr=ldap_start_tls: Protocol error (2)
        additional info: SSL not supported by this server.

Basically, LDAP is broken now (it doesn't allow connecting without -ZZ
flag, and fails with it, since TLS is misconfigured at this point).

What actually happens, LDAP gets configured to use RSA as a key
exchange algorithm, and fails, since the cert is an ECC cert.

In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see:
[05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server
key/certificate is bad for cert FreeIPA of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200
- The certificate provided cannot be used with the selected key
exchange algorithm.)

This is configured by ipaserver/install/dsinstance.py under def __enable_ssl:

       entry = conn.make_entry(
            DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
            objectclass=["top", "nsEncryptionModule"],
            cn=["RSA"],
            nsSSLPersonalitySSL=[self.nickname],
            nsSSLToken=["internal (software)"],
            nsSSLActivation=["on"],
        )
        conn.add_entry(entry)

My question is, is it possible to replace RSA with ECDSA here? If so,
what parameters should I pass to LDAP?

If this is fixable, can someone add autodetect of the type of the
certificate and enable appropriate algorithms in LDAP and Apache?

Best regards,
Marat Vyshegorodtsev

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to