Make --http_pkcs12 work again.
IPA will support installing without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers.
Original report: Apparently when using --http_pkcs12, the /etc/httpd/alias NSS db first gets installed with the IPA CA and ipaCert, Signing-Cert, and Server-Cert, then gets replaced with the contents of the passed in pkcs12 file. This leads to problems with connecting to the PKI-CA when running ipa-replica-prepare:
Creating SSL certificate for the dogtag Directory Server ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
I think instead of starting over, the new certs should be added to the NSS db.
We might just drop the feature altogether; see https://fedorahosted.org/freeipa/ticket/3151
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=910900
Dup of #3151. We will just remove the feature as listed.
We have decided to not retire this functionality (i.e. close #3151) as it may be very useful in some scenarios and fix it instead.
Move all uncompleted tickets to next month bucket.
I'll investigate this.
You might want to take a look at the related issue #3360. I'm very interested in getting this working, so let me know if there is anything I can do to help. I've just installed 6.4 and will be testing with that.
Is there actually code checked in somewhere that can be looked at/tested?
Patches are on the freeipa-devel list. For your convenience I also pushed them to Github: https://github.com/encukou/freeipa/tree/3363-pkcs (branch 3363-pkcs)
Just a point of clarification. Installing with:
ipa-server-install -r NWRA.COM -n nwra.com --root-ca-file=STAR_cora_nwra_com.ca-bundle --dirsrv_pkcs12=cora.nwra.com.p12 --dirsrv_pin=XXX --http_pkcs12=cora.nwra.com.p12 --http_pin=XXX --idstart=8000
I get:
Done configuring directory server (dirsrv). Could not find a CA cert in cora.nwra.com.p12
Is there a reason that the CA cert needs to be in the pkcs12 file if you are also specifying it with --root-ca-file?
I installed with the CA cert added to the .p12 files just fine. Things look good so far. More testing tomorrow. Thanks!
Thanks for testing! I sent a patch addressing this problem to the list, and to the Github branch (please pull with --force).
Had to clean up some conflicts, but diff with origin/3363-pkcs is clean. Install without the CA in the pkcs12 file seems to work now.
# certutil -L -d /etc/dirsrv/slapd-NWRA-COM Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA CT,C, *.cora.nwra.com - COMODO CA Limited u,u,u
When I log into the web UI as "admin" I get a box saying:
s is undefined
Nothing but SUCCESS in /var/log/httpd/error_log. After clicking OK, things seem fine.
The Web UI currently assumes that the cert-* commands are always available. Petr VobornÃk is working on a patch.
Changing title to reflect the solution, not the symptom.
Moving unfinished March tickets to April milestone.
master:
40b4faa Web UI: Disable cert functionality if a CA is not available[[BR]] 67c7bd3 ipa-client-install: Do not request host certificate if server is CA-less[[BR]] a4b88ca Do not call cert-* commands in host plugin if a RA is not available[[BR]] 1bc892c Load the CA cert into server NSS databases[[BR]] 03a2c66 Support installing with custom SSL certs, without a CA[[BR]] a03aba5 dsinstance, httpinstance: Don't hardcode 'Server-Cert'[[BR]] ac06a28 Trust CAs from PKCS#12 files even if they don't have Friendly Names[[BR]] 1e86378 ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper[[BR]] 5fd68e3 Remove unused ipapython.certdb.CertDB class[[BR]] 34aa490 ipa-server-install: Remove the --selfsign option[[BR]] 9c215b6 ipa-server-install: Make temporary pin files available for the whole installation[[BR]]
Minor fix - Hide 'New Certificate' action in Web UI
Metadata Update from @orion: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)
Login to comment on this ticket.