Bug 905066 - CA certificate cannot be specified by nickname [documentation bug]
CA certificate cannot be specified by nickname [documentation bug]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: man-pages-overrides (Show other bugs)
6.4
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Peter Schiffer
Iveta Wiedermann
: ManPageChange, Patch
Depends On: 696783
Blocks: 1011083
  Show dependency treegraph
 
Reported: 2013-01-28 08:58 EST by Kamil Dudka
Modified: 2013-11-21 17:55 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: incorrect documentation about loading CA certificates by nickname when using curl program with NSS Consequence: incorrect documentation Fix: update the documentation about loading CA certificates with NSS Result: correct documentation
Story Points: ---
Clone Of: 696783
Environment:
Last Closed: 2013-11-21 17:55:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backport of upstream commit 11dde6ac (2.14 KB, patch)
2013-01-28 09:05 EST, Kamil Dudka
no flags Details | Diff

  None (edit)
Description Kamil Dudka 2013-01-28 08:58:02 EST
+++ This bug was initially created as a clone of Bug #696783 +++

Trying to use curl with NSS to do client authentication against a cert-controlled webpage.

[ckannan@localhost test]$ echo $SSL_DIR
/home/ckannan/curl/test

[ckannan@localhost test]$ ls *.db
cert8.db  key3.db  secmod.db
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

testnick                                                     P,,  
OCSP Administrator of Instance pki-ocsp's pkisilentdomain ID u,u,u
TKS Administrator of Instance pki-tks's pkisilentdomain ID   u,u,u
mach1.idm.lab.bos.redhat.com                                 ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
wiki.idm.lab.bos.redhat.com                                  ,,   
GeoTrust SSL CA                                              ,,   
mach1.idm.lab.bos.redhat.com #2                              ,,   
Certificate Authority - pkisilentdomain                      CT,C,C
CA Administrator of Instance pki-ca's pkisilentdomain ID     u,u,u
KRA Administrator of Instance pki-kra's pkisilentdomain ID   u,u,u
RA Administrator's pkisilentdomain ID                        u,u,u
TPS Administrator's pkisilentdomain ID                       u,u,u
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ curl -v  --cert "CA Administrator of Instance pki-ca's pkisilentdomain ID" --cacert "Certificate Authority - pkisilentdomain" --data-urlencode "xmlOutput=true" --data-urlencode "reqCompleted=true" --data-urlencode "reqType=enrollment" --data-urlencode "maxCount=20" "https://mach1.idm.lab.bos.redhat.com:9443/ca/agent/ca/queryReq"
* About to connect() to mach1.idm.lab.bos.redhat.com port 9443 (#0)
*   Trying 10.16.96.53... connected
* Connected to mach1.idm.lab.bos.redhat.com (10.16.96.53) port 9443 (#0)
* Initializing NSS with certpath: /home/ckannan/curl/test
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
[ckannan@localhost test]$

--- Additional comment from Kamil Dudka on 2011-04-14 22:41:27 CEST ---

You cannot specify a CA certificate by nickname.

--- Additional comment from Kamil Dudka on 2013-01-28 14:36:46 CET ---

upstream commit:

https://github.com/bagder/curl/commit/11dde6ac
Comment 1 Kamil Dudka 2013-01-28 09:05:27 EST
Created attachment 688994 [details]
backport of upstream commit 11dde6ac
Comment 8 errata-xmlrpc 2013-11-21 17:55:29 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1695.html

Note You need to log in before you can comment on or make changes to this bug.