Issue #2498: cert-request returns untrusted CA error - freeipa

freeipa

#2498 cert-request returns untrusted CA error

Closed: Fixed None Opened 12 years ago by rcritten.

In both a self-sign and dogtag CA request-cert is not working:

$ ipa  cert-request --add --principal test/rawhide.greyoak.com db/rawhide.csr 
ipa: ERROR: cert validation failed for "CN=rawhide.greyoak.com,O=GREYOAK.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to u'http://rawhide.greyoak.com/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.

$ ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1206400000
  GID: 1206400000
  Account disabled: False
  Password: True
  Member of groups: admins
  Kerberos keys available: True

This doesn't seem to have anything to do with the backend. Creating a replica (with generates certs) still works.

rcritten commented 12 years ago

This is related to the patch to fix the client installer where we set no_init if the NSS database has already been initialized. The path seems to be the same for user-show and cert-request but with cert-request we load a CSR file.

rcritten commented 12 years ago

In pkcs10.py we initialize NSS with no db to load the CSR for validation. This wasn't being shut down and no_init was being set to True because we were setting dbdir too early in the connection so nss.nss_shutdown() wasn't being called.

With that not called NSS works but doesn't have the CA hence the untrusted error.

rcritten commented 12 years ago

attachment
freeipa-rcrit-982-noinit.patch

rcritten commented 12 years ago

This failed on a standalone IPA server with:

$ mkdir db
$ certutil -N -d db (I'm lazy, set no password)
$ certutil -R -s CN=fqdn.example.com,O=EXAMPLE.COM' -d db -a > db/fqdn.csr
$ ipa cert-request --add --principal=test/fqdn.example.com db/fqdn.csr
FAIL with an untrusted CA error

Martin reported that this worked for him. You can also verify the fix by modifying ipalib/rpc.py. I stuck in a pdb trace into __nss_initialized() and saw that it was being called for the first request too so was always comparing itself to itself and therefore nss_shutdown() was never called.

rcritten commented 12 years ago

master: 17ba58a

ipa-2-2: e6d997a

dpal commented 12 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=804128 (Red Hat Enterprise Linux 6)

dpal commented 12 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=804128 (Red Hat Enterprise Linux 6)

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03

7 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 2.2 Core Effort - 2012/03

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=804128

tester

None

changelog

None

design

None

freeipa

Source Code

#2498 cert-request returns untrusted CA error Closed: Fixed None Opened 12 years ago by rcritten.

Metadata

#2498 cert-request returns untrusted CA error

Closed: Fixed None Opened 12 years ago by rcritten.