Bug 905066

Summary: CA certificate cannot be specified by nickname [documentation bug]
Product: Red Hat Enterprise Linux 6 Reporter: Kamil Dudka <kdudka>
Component: man-pages-overridesAssignee: Peter Schiffer <pschiffe>
Status: CLOSED ERRATA QA Contact: Iveta Wiedermann <isenfeld>
Severity: low Docs Contact:
Priority: low    
Version: 6.4CC: isenfeld, ovasik, pschiffe, tlavigne
Target Milestone: rcKeywords: ManPageChange, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: incorrect documentation about loading CA certificates by nickname when using curl program with NSS Consequence: incorrect documentation Fix: update the documentation about loading CA certificates with NSS Result: correct documentation
 Story Points: ---
Clone Of: 696783 Environment:
Last Closed: 2013-11-21 22:55:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 696783    
Bug Blocks: 1011083    
Attachments:
Description Flags
backport of upstream commit 11dde6ac none

Description Kamil Dudka 2013-01-28 13:58:02 UTC 
+++ This bug was initially created as a clone of Bug #696783 +++

Trying to use curl with NSS to do client authentication against a cert-controlled webpage.

[ckannan@localhost test]$ echo $SSL_DIR
/home/ckannan/curl/test

[ckannan@localhost test]$ ls *.db
cert8.db  key3.db  secmod.db
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

testnick                                                     P,,  
OCSP Administrator of Instance pki-ocsp's pkisilentdomain ID u,u,u
TKS Administrator of Instance pki-tks's pkisilentdomain ID   u,u,u
mach1.idm.lab.bos.redhat.com                                 ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
wiki.idm.lab.bos.redhat.com                                  ,,   
GeoTrust SSL CA                                              ,,   
mach1.idm.lab.bos.redhat.com #2                              ,,   
Certificate Authority - pkisilentdomain                      CT,C,C
CA Administrator of Instance pki-ca's pkisilentdomain ID     u,u,u
KRA Administrator of Instance pki-kra's pkisilentdomain ID   u,u,u
RA Administrator's pkisilentdomain ID                        u,u,u
TPS Administrator's pkisilentdomain ID                       u,u,u
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ curl -v  --cert "CA Administrator of Instance pki-ca's pkisilentdomain ID" --cacert "Certificate Authority - pkisilentdomain" --data-urlencode "xmlOutput=true" --data-urlencode "reqCompleted=true" --data-urlencode "reqType=enrollment" --data-urlencode "maxCount=20" "https://mach1.idm.lab.bos.redhat.com:9443/ca/agent/ca/queryReq"
* About to connect() to mach1.idm.lab.bos.redhat.com port 9443 (#0)
*   Trying 10.16.96.53... connected
* Connected to mach1.idm.lab.bos.redhat.com (10.16.96.53) port 9443 (#0)
* Initializing NSS with certpath: /home/ckannan/curl/test
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
[ckannan@localhost test]$

--- Additional comment from Kamil Dudka on 2011-04-14 22:41:27 CEST ---

You cannot specify a CA certificate by nickname.

--- Additional comment from Kamil Dudka on 2013-01-28 14:36:46 CET ---

upstream commit:

https://github.com/bagder/curl/commit/11dde6ac
Comment 1 Kamil Dudka 2013-01-28 14:05:27 UTC 
Created attachment 688994 [details]
backport of upstream commit 11dde6ac
Comment 8 errata-xmlrpc 2013-11-21 22:55:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1695.html