Hi, We moved our CA-less FreeIPA install into production only few days ago and today I've noticed some problem with certificates.
This is FreeIPA 4.2 installation on Centos 7.2. I've installed the first node with the following command: ipa-server-install \ -U \ -r $REALM \ -n $DOMAIN \ -p $PASSWD \ -a $PASSWD \ --mkhomedir \ --setup-dns \ --no-forwarders \ --no-dnssec-validation \ --idstart=1100 \ --dirsrv-cert-file=${CERT_FILE} \ --dirsrv-cert-name=${CERT_NAME} \ --http-cert-file=${CERT_FILE} \ --http-cert-name=${CERT_NAME} \ --dirsrv-pin='' \ --http-pin='' The ${CERT_FILE} was in PKCS12 format and it included the whole certificate chain (AddTrustExternalCARoot.pem -> USERTrustRSACA.pem -> GandiStandardSSLCA2.pem -> star.ipa.wandisco.com.crt): $ openssl verify -verbose -CAfile <(cat AddTrustExternalCARoot.pem USERTrustRSACA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt star.ipa.wandisco.com.crt: OK Today I've noticed that the /etc/ipa/ca.crt file is not the same across all nodes and I've attempted to fix it by running ipa-certupdate. Now, instead of 3 CA certificates in /etc/ipa/ca.crt I can see 5 certificates (the last 2 are the same). To investigate this, I've split ca.cert into 5 separate files cert1-5: [root@shdc01 temp]# for i in {1..5}; do echo cert${i}; openssl x509 -in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done cert1 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root cert2 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert3 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 cert4 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert5 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority As you can see, cert4 and cert5 are equal yet listed twice and they are completely different to cert3 - the one from the certificate chain supplied by SSL provider. As per our previous conversation with Jan Cholasta, cert4/5 must have been added (by ipa-certupdate?) from certificates available on the server (ca-certificates package?). So now, we ended up with having "USERTrust RSA Certification Authority - AddTrust AB" listed twice - one of them is correct (from the chain), the other one is incorrect: [root@shdc01 ~]# certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, USERTrust RSA Certification Authority - AddTrust AB ,, [root@shdc01 ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GandiWildcardIPA u,u,u AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, USERTrust RSA Certification Authority - AddTrust AB ,, [root@shdc01 ~]# certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI USERTrust RSA Certification Authority - AddTrust AB ,, AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, Now, if I try to query FreeIPA's LDAP directory (for example using ldapsearch), I get the following errors: TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825). We can clearly see that the certificate chain advertised by the server is not correct hence it's failing SSL handshake: $ openssl s_client -connect shdc01.ipa.wandisco.com:636 CONNECTED(00000003) depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*. ipa.wandisco.com i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority Please correct me if I'm wrong, but I think that in order to fix this we will need to remove the incorrectly added certificate "USERTrust RSA Certification Authority - AddTrust AB", but which one since there 2 with exactly the same nickname? I haven't made any further changes to any of the servers as I would like to get your input first. Please get back to me as soon as possible, it is very important for us to recover from this state in a timely manner. I'm available on #freeipa under nickname peterpakos. Thanks in advance for your help. -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project