freeipa

Clone
Source Code
GIT

#3713 CRL cannot be downloaded via plain HTTP protocol
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Even though IPA certificates point to MasterCRL.bin in plain http protocol, it is automatically redirected to https even though the CRL is signed. This will cause certificate verification problem when the CA signing the SSL certificate is not trusted:

# openssl x509 -text -in /tmp/cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority
        Validity
            Not Before: Jun 13 18:20:03 2013 GMT
            Not After : Jun 14 18:20:03 2015 GMT
        Subject: O=IDM.LAB.BOS.REDHAT.COM, CN=testcert.example.com
...
            Authority Information Access: 
                OCSP - URI:http://ipa-ca.idm.lab.bos.redhat.com/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier: 
                CE:3B:23:0A:AA:5A:18:FF:47:F7:48:C7:81:A8:24:3D:1E:23:05:70
...

# wget http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
--2013-06-13 15:19:10--  http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
Resolving ipa-ca.idm.lab.bos.redhat.com (ipa-ca.idm.lab.bos.redhat.com)... 10.16.78.119
Connecting to ipa-ca.idm.lab.bos.redhat.com (ipa-ca.idm.lab.bos.redhat.com)|10.16.78.119|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin [following]
--2013-06-13 15:19:10--  http://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
Resolving vm-119.idm.lab.bos.redhat.com (vm-119.idm.lab.bos.redhat.com)... 10.16.78.119
Reusing existing connection to ipa-ca.idm.lab.bos.redhat.com:80.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin [following]
--2013-06-13 15:19:10--  https://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
Connecting to vm-119.idm.lab.bos.redhat.com (vm-119.idm.lab.bos.redhat.com)|10.16.78.119|:443... connected.
ERROR: cannot verify vm-119.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’:
  Self-signed certificate encountered.
To connect to vm-119.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'.

Related upstream tickets: #3547, #3552

master: 6118b73[[BR]]
ipa-3-2: 020b4a7

Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Certificate management
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=910470
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.