Service certificates installed during IPA setup:
# certutil -d /etc/dirsrv/slapd-VIRT-TUXGEEK-DE/ -L -n "Server-Cert" -a|openssl x509 -noout -ocsp_uri http://ipa-ca.virt.tuxgeek.de/ca/ocsp # certutil -d /etc/httpd/alias/ -L -n "Server-Cert" -a|openssl x509 -noout -ocsp_uri http://ipa-ca.virt.tuxgeek.de/ca/ocsp
All other certificates have a different ocsp responder url.
IPA CA certificate installed during IPA setup:
# certutil -d /etc/dirsrv/slapd-VIRT-TUXGEEK-DE/ -L -n "VIRT.TUXGEEK.DE IPA CA" -a|openssl x509 -noout -ocsp_uri http://fed02.virt.tuxgeek.de:80/ca/ocsp
Service certificate requested manually using caIPAserviceCert profile:
# openssl x509 -in /tmp/certs/server.crt -noout -ocsp_uri http://fed02.virt.tuxgeek.de:80/ca/ocsp
User certificate requested manually using custom profile which is more or less identical to the caIPAserviceCert profile. Basically only exKeyUsageOIDs differ between those two profiles:
# openssl x509 -in tscherf.crt -noout -ocsp_uri http://fed02.virt.tuxgeek.de:80/ca/ocsp # ipa dnsrecord-show virt.tuxgeek.de ipa-ca Record name: ipa-ca A record: 192.168.122.160, 192.168.122.150
Basically the ipa-ca hostname is only used for service certificates issued at IPA install time. All certificates issued afterwards use the first master hostname in the ocsp url.
For the CA certificate related part, the following ticket might be related:
https://fedorahosted.org/freeipa/ticket/3466
For certificates, with the caIPAserviceCert profile, is this not a case of #5881?
For custom profiles, Dogtag will put into the certificate whatever is defined in the profile. I guess the customer copied the caIPAserviceCert profile at a time when it was incorrect.
For the CA certificates, this is (as far as I can tell) not a regression, and something that will take a fair bit of work to address. I would agree that it is related to / in scope of #3466.
Fraser, the custom profile is based on the caIPAserviceCert profile. Only OIDs for EKU have been adjusted. The profile has been created on a fresh F23 installation, with latest freeipa package. What do you mean with "[...] copied the caIPAserviceCert profile at a time when it was incorrect."?
Thorsten, I mean that if the caIPAservice had the incorrect OCSP URI due to a manifestation of #5881, then creating a new profile based on that (bad) config would also have the same OCSP problems. Is there only a single IPA server in the topology, or are there multiple replicating masters?
Could you provide a copy of the affected profile configuration (either caIPAserviceCert, or the custom profile, or both)?
For other readers, this is the full list of certs on a replica with CA. Reproduced with master from last week.
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n "ocspSigningCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri http://ipa1.example.test:80/ca/ocsp # certutil -d /etc/pki/pki-tomcat/alias/ -L -n "subsystemCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri http://ipa1.example.test:80/ca/ocsp # certutil -d /etc/pki/pki-tomcat/alias/ -L -n "caSigningCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri http://ipa1.example.test:80/ca/ocsp # certutil -d /etc/pki/pki-tomcat/alias/ -L -n "auditSigningCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri http://ipa1.example.test:80/ca/ocsp # certutil -d /etc/httpd/alias/ -L -n "ipaCert" -a | openssl x509 -noout -ocsp_uri http://ipa1.example.test:80/ca/ocsp # certutil -d /etc/pki/pki-tomcat/alias/ -L -n "Server-Cert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri http://ipa1.example.test:80/ca/ocsp # certutil -d /etc/httpd/alias/ -L -n "Server-Cert" -a | openssl x509 -noout -ocsp_uri http://ipa-ca.example.test/ca/ocsp # certutil -d /etc/dirsrv/slapd-EXAMPLE-TEST/ -L -n "Server-Cert" -a | openssl x509 -noout -ocsp_uri http://ipa-ca.example.test/ca/ocsp
Hi Fraser,
see here what I did on my test system.
# rpm -q freeipa-server freeipa-server-4.2.4-1.fc23.x86_64 # mkdir /tmp/certs # chcon -t cert_t /tmp/certs # ipa-getcert request -f /tmp/certs/server.crt /tmp/certs/server.key -T caIPAserviceCert New signing request "20160621110617" added. # openssl x509 -in /tmp/certs/server.crt -noout -ocsp_uri http://fed01.virt.tuxgeek.de:80/ca/ocsp
I use the default caIPAserviceCert profile that comes with freeipa-server-4.2.4-1. I need to check if this changed in master in the meantime.
# locate caIPAserviceCert.cfg|xargs grep ocsp /usr/share/ipa/profiles/caIPAserviceCert.cfg:policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http//$IPA_CA_RECORD.$DOMAIN/ca/ocsp
In the profile that is used by IPA, the ocsp_responder URL doesn't seem to be customized though:
# ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg # grep ocsp caIPAserviceCert.cfg #
Thorston, the symptoms described are very much those of #5881. There has not been a release on the ipa-4-2 branch after the fix for #5881 was merged. Seeing the full config as yielded by certprofile-show will either strengthen my case or blow it out of the water :)
Other certificates mentioned in this ticket, e.g. Dogtag subsystem certs, use other profiles shipped with Dogtag, not caIPAserviceCert. The issue should be fixed but it is not a regression.
caIPAserviceCert default profile caIPAserviceCert.cfg
I've added the default profile I used to create the service certificates after installation time.
Thanks Thorsten; that pretty much confirms that that is #5881.
The scope of this ticket now reduces to fixing the other issue (CA subsystem certs, etc).
Should be implemented as one the first items in 4.4.1.
master:
The dogtag part is included in Dogtag 10.3.3-3 therefore lowering dep.
Metadata Update from @tscherf: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.