701325 – Unable to Download Certificate with Browser

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 701325 - Unable to Download Certificate with Browser

Summary: Unable to Download Certificate with Browser

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	750914
TreeView+	depends on / blocked

Reported:	2011-05-02 15:24 UTC by Niranjan Mallapadi Raghavender
Modified:	2015-01-04 23:48 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-2.1.3-3.el6
Doc Type:	Bug Fix
Doc Text:	Cause: The X509v3 certificate in a host or service record in the Web UI was not properly formatted so was not easily usable. Consequence: One could not simply cut-and-paste the certificate and use it in PEM format. Fix: Convert the certificate from base64 into PEM format. Result: A certificate can be cut-and-pasted and used in PEM format.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:21:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Niranjan Mallapadi Raghavender 2011-05-02 15:24:21 UTC

Description of problem:

From Firefox Browser installed on RHEL6.1 IPA server, unable to donwload the Client Cert (Certificate for Host) . 

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-16.el6.x86_64
firefox-3.6.15-2.el6_0.x86_64

How reproducible:
1. kinit admin
2. firefox&
3. Click on Identity->Host-> Add a host-
4. Post the CSR and once signed, click on Get to copy and past the Certificate. 

5. run the openssl x509 -in file.crt -noout -text 

The actual result is:
openssl x509 -in dhcp210-7.crt -noout -text
unable to load certificate
140453227505480:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:807:


When selecting all from the browser and pasting it on text file, the CR/LF characters are not there , which makes the file unsable, so the only option is to run  the below command 


$ipa host-show  dhcp210-7.gsslab.pnq.redhat.com --out dhcp210-7.crt
  
Expected results:

The Enterprise IPA should provide a better method to download the certificate from browser.

Comment 2 Rob Crittenden 2011-05-02 18:47:16 UTC

https://fedorahosted.org/freeipa/ticket/1201

Comment 3 Rob Crittenden 2011-10-21 15:38:55 UTC

fixed upstream

master: 9a039acb224ab3dd6c739f141233000b50c28e6f
ipa-2-1: 9b7639a89df70bdd5cbc29c0393ebe53395e566f

Comment 6 Rob Crittenden 2011-10-31 18:22:12 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The X509v3 certificate in a host or service record in the Web UI was not properly formatted so was not easily usable.
Consequence: One could not simply cut-and-paste the certificate and use it in PEM format.
Fix: Convert the certificate from base64 into PEM format.
Result: A certificate can be cut-and-pasted and used in PEM format.

Comment 7 Niranjan Mallapadi Raghavender 2011-11-07 09:19:32 UTC

Thanks for fixing this bug

1. I had verified the fix by  Adding the host from web-ui first 

2. Created certificate request for the host using the below command 
$openssl genrsa 1024 > juno.key

$openssl req -new -key juno.key -out juno.csr 

3. Submit the CSR , by following the below procedure
Login as admin to the web-ui->host-> select the host added, click on "New Certificate" and paste the CSR  created using step-2

4. Once Signed click on Get "To get the Certificate" , Copy the Contents and 
verify it using 
$openssl x509 -in <file-name> -noout -text

Thanks
Niranjan

Comment 8 Gowrishankar Rajaiyan 2011-11-07 10:08:36 UTC

Thanks Niranjan for confirming this. 


1. openssl genrsa 1024 > sideswipe.key
2. openssl req -new -key sideswipe.key -out sideswipe.csr
3. Submit the CSR , by following the below procedure
Login as admin to the web-ui->host-> select the host added, click on "New
Certificate" and paste the CSR  created using step-2
4. Once Signed click on Get "To get the Certificate" , Copy the Contents and 
verify it using 

openssl x509 -in shanks.sideswipe --noout -text
[root@sideswipe ~]# openssl x509 -in shanks.sideswipe -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=LAB.ENG.PNQ.REDHAT.COM, CN=Certificate Authority
        Validity
            Not Before: Nov  7 10:02:54 2011 GMT
            Not After : Nov  7 10:02:54 2013 GMT
        Subject: O=LAB.ENG.PNQ.REDHAT.COM, CN=sideswipe.lab.eng.pnq.redhat.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:93:15:de:70:13:38:e5:c0:ae:aa:3c:39:95:2e:
                    37:d7:97:f5:b4:98:04:e0:19:0b:25:04:3f:72:a7:
                    92:ea:2f:8e:63:a3:f1:ce:60:c6:58:2d:cb:07:fc:
                    be:bc:00:ee:cb:e7:bc:79:e3:38:db:17:74:28:0a:
                    66:7d:d8:07:6d:0d:9c:44:13:bb:4b:c0:3d:e3:99:
                    6b:0a:4a:44:32:02:a3:76:a7:c6:40:79:f9:4d:18:
                    c0:3a:cc:d0:1e:fe:79:02:6d:72:fa:cb:df:b5:85:
                    34:78:6c:e6:af:74:20:c2:4e:18:9d:e9:2d:85:13:
                    d4:c5:88:3c:79:8e:4f:f5:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:1A:1A:3B:30:D9:CB:C1:FB:B6:42:10:D2:9F:F6:DA:FD:A0:48:1C:C0

            Authority Information Access: 
                OCSP - URI:http://decepticons.lab.eng.pnq.redhat.com:80/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
        d1:af:85:c9:b1:31:d4:16:01:50:a7:67:95:06:ca:e4:ed:bc:
        2a:cf:0e:dc:f5:0f:cc:26:a5:94:05:e6:8b:b7:60:07:34:48:
        9a:4d:1f:02:81:7e:27:ad:b9:de:66:dc:58:49:d7:2e:85:1b:
        84:a8:67:bd:ae:bb:ee:54:40:78:96:a9:df:5f:99:f3:d0:b6:
        1b:66:35:87:db:7f:f0:2e:22:f7:cd:17:1b:f8:37:0c:33:9a:
        82:2c:f9:4a:0f:c3:e7:26:3f:cd:11:79:61:7e:40:a6:7d:9d:
        98:75:fb:c6:70:ff:65:0c:31:73:1b:34:76:f6:bf:74:89:cb:
        ba:10:f7:13:3f:fa:98:a5:38:97:16:ee:65:af:a0:8e:43:a5:
        12:87:b1:67:6b:ba:ed:ed:26:44:44:5d:f4:f4:72:96:b7:63:
        57:e3:7a:d7:95:a3:fc:33:1e:f4:2d:0d:ce:00:ef:6e:23:72:
        02:17:c7:0a:57:68:8e:c9:8c:17:af:44:c3:2b:e1:d6:be:dd:
        93:a0:a2:9e:58:6e:69:79:bf:f7:25:58:23:8b:31:35:dd:71:
        f9:7e:3d:e5:35:3f:a2:3b:ea:92:9e:3f:00:31:da:20:bd:a2:
        5c:cf:71:7f:3f:b7:74:5e:ba:06:4d:91:85:c9:b5:a3:0b:58:
        f4:9e:50:55
[root@sideswipe ~]# 

Verified.
[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 9 errata-xmlrpc 2011-12-06 18:21:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.