Following on from https://fedorahosted.org/pki/ticket/1697
FreeIPA on Centos 7.1
[root@ipa ~]# rpm -qa | sort | egrep "^ipa|^pki|^nss|^jss" ipa-admintools-4.1.0-18.el7.centos.4.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 ipa-server-4.1.0-18.el7.centos.4.x86_64 jss-4.2.6-36.el7.centos.x86_64 nss-3.19.1-7.el7_1.2.x86_64 nss-debuginfo-3.19.1-7.el7_1.2.x86_64 nss-devel-3.19.1-7.el7_1.2.x86_64 nss-softokn-3.16.2.3-13.el7_1.x86_64 nss-softokn-debuginfo-3.16.2.3-13.el7_1.x86_64 nss-softokn-devel-3.16.2.3-13.el7_1.x86_64 nss-softokn-freebl-3.16.2.3-13.el7_1.x86_64 nss-softokn-freebl-devel-3.16.2.3-13.el7_1.x86_64 nss-sysinit-3.19.1-7.el7_1.2.x86_64 nss-tools-3.19.1-7.el7_1.2.x86_64 nss-util-3.19.1-4.el7_1.x86_64 nss-util-debuginfo-3.19.1-4.el7_1.x86_64 nss-util-devel-3.19.1-4.el7_1.x86_64 pki-base-10.1.2-8.el7.centos.noarch pki-ca-10.1.2-8.el7.centos.noarch pki-server-10.1.2-8.el7.centos.noarch pki-tools-10.1.2-8.el7.centos.x86_64
The IPA install code enables libpkix as part of the install process. - https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/cainstance.py#n613
Mozilla have practically disowned this code, in part because it's so opaque in failure - https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification#libpkix
In my case, it's rejecting IPA CA certificates, generated from the IPA install generated CSR. These certificates pass every other test that I can find.
If I patch 'cainstance.py', to stop IPA enabling libpkix, everything works as it should.
Is there a plan to migrate away from libpkix? I'd settle for some official way to disable it in the installer. Is there a reason it's being used right now, instead of the classic one?
Fraser, would you have any idea for this one?
PKIX validation was enabled back when CA certificate renewal was implemented, because it didn't work correctly without it (renewed CA certificate was not deemed valid by NSS).
It's very possible it can be removed now. (If we do so, we need to bump minimal required version of NSS to the version where libpkix is no longer necessary for PKIX validation.)
We use certmonger to track and renew these upstream issued certs - we'll let you know how that works out without libpkix.
Jan, I'm intrigued why renewed certificate was not deemed valid by NSS when renewal was implemented. Was it a bug in NSS that has (hopefully) since been fixed?
You mention "version [of NSS] where libpkix is no longer necessary for PKIX validation". Do you know which version is needed? I could not tell from package changelog or hg log of nss itself.
Metadata Update from @jamesmasson: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.