#3363 [RFE] CA-less installation
Closed: Fixed None Opened 11 years ago by orion.

Make --http_pkcs12 work again.

IPA will support installing without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers.

More information: http://freeipa.org/page/V3/CA-less_install

Original report: Apparently when using --http_pkcs12, the /etc/httpd/alias NSS db first gets installed with the IPA CA and ipaCert, Signing-Cert, and Server-Cert, then gets replaced with the contents of the passed in pkcs12 file. This leads to problems with connecting to the PKI-CA when running ipa-replica-prepare:

Creating SSL certificate for the dogtag Directory Server
ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.

I think instead of starting over, the new certs should be added to the NSS db.


Dup of #3151.
We will just remove the feature as listed.

We have decided to not retire this functionality (i.e. close #3151) as it may be very useful in some scenarios and fix it instead.

Move all uncompleted tickets to next month bucket.

You might want to take a look at the related issue #3360. I'm very interested in getting this working, so let me know if there is anything I can do to help. I've just installed 6.4 and will be testing with that.

Is there actually code checked in somewhere that can be looked at/tested?

Patches are on the freeipa-devel list.
For your convenience I also pushed them to Github: https://github.com/encukou/freeipa/tree/3363-pkcs (branch 3363-pkcs)

Just a point of clarification. Installing with:

ipa-server-install -r NWRA.COM -n nwra.com --root-ca-file=STAR_cora_nwra_com.ca-bundle --dirsrv_pkcs12=cora.nwra.com.p12 --dirsrv_pin=XXX --http_pkcs12=cora.nwra.com.p12 --http_pin=XXX --idstart=8000

I get:

Done configuring directory server (dirsrv).
Could not find a CA cert in cora.nwra.com.p12

Is there a reason that the CA cert needs to be in the pkcs12 file if you are also specifying it with --root-ca-file?

I installed with the CA cert added to the .p12 files just fine. Things look good so far. More testing tomorrow. Thanks!

Thanks for testing! I sent a patch addressing this problem to the list, and to the Github branch (please pull with --force).

Had to clean up some conflicts, but diff with origin/3363-pkcs is clean. Install without the CA in the pkcs12 file seems to work now.

# certutil -L -d /etc/dirsrv/slapd-NWRA-COM

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA                                                           CT,C,
*.cora.nwra.com - COMODO CA Limited                          u,u,u

When I log into the web UI as "admin" I get a box saying:

s is undefined

Nothing but SUCCESS in /var/log/httpd/error_log. After clicking OK, things seem fine.

The Web UI currently assumes that the cert-* commands are always available. Petr Voborník is working on a patch.

Changing title to reflect the solution, not the symptom.

Moving unfinished March tickets to April milestone.

master:

40b4faa Web UI: Disable cert functionality if a CA is not available[[BR]]
67c7bd3 ipa-client-install: Do not request host certificate if server is CA-less[[BR]]
a4b88ca Do not call cert-* commands in host plugin if a RA is not available[[BR]]
1bc892c Load the CA cert into server NSS databases[[BR]]
03a2c66 Support installing with custom SSL certs, without a CA[[BR]]
a03aba5 dsinstance, httpinstance: Don't hardcode 'Server-Cert'[[BR]]
ac06a28 Trust CAs from PKCS#12 files even if they don't have Friendly Names[[BR]]
1e86378 ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper[[BR]]
5fd68e3 Remove unused ipapython.certdb.CertDB class[[BR]]
34aa490 ipa-server-install: Remove the --selfsign option[[BR]]
9c215b6 ipa-server-install: Make temporary pin files available for the whole installation[[BR]]

Minor fix - Hide 'New Certificate' action in Web UI

  • master: e61c2e3 Hide 'New Certificate' action on CA-less install
  • ipa-3-3: 62dc8a5 Hide 'New Certificate' action on CA-less install

Metadata Update from @orion:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)

7 years ago

Login to comment on this ticket.

Metadata