Hello, I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was automatically refreshed: ,---- | Request ID '20181003215953': | status: MONITORING | stuck: no | key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key' | certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt' | CA: IPA | issuer: CN=Certificate Authority,O=JOCHEN.ORG | subject: CN=imap.jochen.org,O=JOCHEN.ORG | expires: 2022-09-07 09:30:16 CEST | dns: imap.jochen.org | principal name: imap/jupiter.jochen....@jochen.org | key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment | eku: id-kp-serverAuth,id-kp-clientAuth | pre-save command: | post-save command: /root/refresh_cyrus_certificate.sh | track: yes | auto-renew: yes `---- On an iPhone one of my users gets a message that the certificate is not valid. Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html When I look at the certificate with openssl I see: ,---- | X509v3 extensions: | X509v3 Authority Key Identifier: | keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17 | | Authority Information Access: | OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp | | X509v3 Key Usage: critical | Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment | X509v3 Extended Key Usage: | TLS Web Server Authentication, TLS Web Client Authentication `---- My current guess is that the "Key Usage: critical" is the reason for the iOS error. I've looked for the certprofiles and found these files: ,---- | [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls | 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg | 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json | 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg | 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg | 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg `---- These files contain: ,---- | policyset.serverCertSet.6.constraint.params.keyUsageCritical=true | policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true | policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true | policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true | policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true | policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false `---- So I think this is where the critical comes from and the keyUsage defaults come from. What I could use help with is the following: 1. I didn't find reports about the problem in pagure or the mailing list. Am I really alone with this? 2. My FreeIPA has been installed years ago on Fedora, moved to CentOS and this year back to Fedora by creating replicas. Has there been a problem with upgrading the certprofiles? 3. How can I remove the options from the certificate request so that certmonger gets a valid certificate? Do I miss something else? -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
