Bug 829086
Summary: | ipa-replica-install using pkcs12 files failed with TLS hostname does not match CN in peer certificate | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED NOTABUG | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | mkosek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-07 16:28:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Scott Poore
2012-06-05 22:27:28 UTC
Using gpg|tar, I extracted files working and broken and compared. gpg -d replica-info-qe-blade-11.testrelm.com.gpg | tar xvf - For one, the system/automatically generated ones did not have pins set? [root@qe-blade-11 shm]# diff -r realm_info.works realm_info.bad ... diff -r realm_info.works/dirsrv_pin.txt realm_info.bad/dirsrv_pin.txt 1c1 < --- > XXXXXXXX diff -r realm_info.works/http_pin.txt realm_info.bad/http_pin.txt 1c1 < --- > XXXXXXXX ... For another, some files are missing? [root@qe-blade-11 shm]# ls realm_info.works realm_info.bad realm_info.bad: ca.crt dirsrv_pin.txt dscert.p12 http_pin.txt pwdfile.txt realm_info configure.jar dogtagcert.p12 httpcert.p12 preferences.html pwdfile.txt.orig realm_info.works: cacert.p12 dirsrv_pin.txt httpcert.p12 pwdfile.txt realm_info ca.crt dogtagcert.p12 http_pin.txt pwdfile.txt.orig configure.jar dscert.p12 preferences.html ra.p12 If I'm reading this correctly there are two problems. 1. You can't copy certificates from one machine and expect them to work on another. That is likely the source of the hostname not matching but I'd need to see the output to be sure. On a given machine the CN of the cert needs to match the hostname. 2. It appears that you created PKCS#12 files containing just a public cert but not a private key. What you want to do is create a temporary NSS database, generate a CSR and use ipa cert-request to generate a certificate. Then use pk12util to create the files from that temporary NSS database. Note that in the real world #2 won't work because in order to install a replica the host cannot already exist. In order to create a certificate a service must exist, which requires a host. So the sequence looks like this: ipa host-add foo ipa cert-request --add --principal=HTTP/foo <CSR> <various PKCS#12 commands> ... ipa-replica-install ... [ fail, host foo exists, delete it] ipa host-del foo The certs you pre-created are now revoked. This will work in a test environment though as we don't do CRL checking by default. Rob, thanks. I was able to get this working per your suggestion with the following: <snip> mkdir /tmp/httpcert cd /tmp/httpcert echo "mytestnoisefile: asflasdfjl@#R%W@t4tlkihjhaldkhjetralkjakdlasdfsadgfag4lk<F4>^W@%lkj" > noise.txt echo "$ADMINPW" > pwdfile.txt certutil -d . -N -f pwdfile.txt certutil -R -s "CN=$SLAVE,O=$RELM" -d . -a -z noise.txt -f pwdfile.txt > $SLAVE.csr ipa cert-request $SLAVE.csr --add --principal=http/$SLAVE > ipa-cert-request.http.$SLAVE.tmp wget http://$MASTER/ipa/config/ca.crt certutil -A -d . -n 'IPA CA' -t CT,, -a < ca.crt ipa service-show http/$SLAVE --out=$SLAVE.crt certutil -A -n $SLAVE -d . -t u,u,u -a < $SLAVE.crt certutil -L -d . -n $SLAVE -a > httpdcacert.asc pk12util -o http_pkcs.p12 -d . -n $SLAVE -w pwdfile.txt -k pwdfile.txt mkdir /tmp/ldapcert cd /tmp/ldapcert echo "mytestnoisefile: asflasdfjl@#R%W@t4tlkihjhaldkhjetralkjakdlasdfsadgfag4lk<F4>^W@%lkj" > noise.txt echo "$ADMINPW" > pwdfile.txt certutil -d . -N -f pwdfile.txt certutil -R -s "CN=$SLAVE,O=$RELM" -d . -a -z noise.txt -f pwdfile.txt > $SLAVE.csr ipa cert-request $SLAVE.csr --add --principal=ldap/$SLAVE > ipa-cert-request.ldap.$SLAVE.tmp wget http://$MASTER/ipa/config/ca.crt certutil -A -d . -n 'IPA CA' -t CT,, -a < ca.crt ipa service-show ldap/$SLAVE --out=$SLAVE.crt certutil -A -n $SLAVE -d . -t u,u,u -a < $SLAVE.crt certutil -L -d . -n $SLAVE -a > dirsrvcacert.asc pk12util -o 2dirsrv_pkcs.p12 -d . -n $SLAVE -w pwdfile.txt -k pwdfile.txt ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $SLAVE --dirsrv_pkcs12=ldap/dirsrv_pkcs.p12 --dirsrv_pin=$ADMINPW --http_pkcs12=http/http_pkcs.p12 --http_pin=$ADMINPW ipa host-del $SLAVE </snip> I was also able to do it using the dscert.p12 and httpcert.p12 files from a normally created gpg file as you suggested. I'm going to close this as NOTABUG. Thanks again |