#5603 error installing ca-less master with a wildcard http certificate
Closed: Invalid None Opened 8 years ago by ofayans.

When I am using a wildcard http certificate during master installation, the command fails:

ipa-server-install --http-cert-file http.p12 --dirsrv-cert-file dirsrv.p12 --ca-cert-file root.pem --ip-address <server_ip> -r <realm_name> -n <domain_name> -p <dm_pass> -a <admin_pass> --setup-dns --forwarder <forwarder_ip> --domain-level 1 --http-pin <http_cert_password> --dirsrv-pin <dirsrv_cert_password> -U

returns

ipa.ipapython.install.cli.install_tool(Server): ERROR    The server certificate in http.p12 is not valid: invalid for server <server_name>
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Steps to reproduce:
1. Export the following environmental variables:
- domain - domain name
- server1 - master hostname
- server2 - replica hostname
- client - client hostname
- dbdir - name of the certificate database folder (will be created)
- crl_path - a folder for crl files (will be created)
- dirman_password
2. Run the attached script to generate the set of certificates
3. export wildcard CA cert: {{{pk12util -o http.p12 -n "ca1/wildcard" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>"}}}
4. export server cert: {{{ pk12util -o "http.p12" -n "ca1/server" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>" }}}
5. export pem file: {{{certutil -L -d "<dbdir>" -n "ca1" -a > root.pem}}}
6. install the server with the command listed in the description

Expected results: Installation successful[[BR]]
Actual results: Installation fails


This ticket is out of scope of 4.4.0 release. Moving to 4.4.1. Note that 4.4.1 needs to be triaged, therefore not everything will be implemented.

This issue is blocking existing execution of WebUI tests in Jenkins, which rely on a wildcard certificate (Subject: O=IPA, CN=*.domain.com):

ipa.ipapython.install.cli.install_tool(Server): ERROR    The server certificate in star-cert.p12 is not valid: invalid for server host.subdomain.domain.com
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The error message comes from {{{cert.verify_hostname(hostname)}}}, which is {{{ nss.nss.Certificate.verify_hostname()}}}. The method calls https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslcrt.html#__CERT_VerifyCertName_ to verify that the hostname is supported by the cert.

Your hostname {{{host.subdomain.domain.com}}} does not match {{{*.domain.com}}}. A wildcard matches only one label, not two or more labels. See https://tools.ietf.org/search/rfc6125#section-7.2

PS: RFC 6125 also forbids multiple wildcards in a hostname. CN is also deprecated. You have to add multiple SAN dNSName extensions for {{{.domain.com}}} and {{{.subdomain.domain.com}}}.

Closing the ticket as invalid (see cheimes's comments above). Solution is to generate a proper wildcart certificate matching the full domain name except the leftmost label or use appropriate DNS names in SAN extensions.

Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.2

7 years ago

master:

  • 284658e test_caless: remove xfail in wildcard certificate tests

Login to comment on this ticket.

Metadata