Bug 905066 – CA certificate cannot be specified by nickname [documentation bug]

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 905066 - CA certificate cannot be specified by nickname [documentation bug]

Summary:	CA certificate cannot be specified by nickname [documentation bug]

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	man-pages-overrides (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	low Severity low
Target Milestone:	rc
Target Release:	---
Assigned To:	Peter Schiffer
QA Contact:	Iveta Wiedermann
Docs Contact:

URL:
Whiteboard:
Keywords:	ManPageChange, Patch

Depends On:	696783
Blocks:	1011083
	Show dependency tree / graph

Reported:	2013-01-28 08:58 EST by Kamil Dudka
Modified:	2013-11-21 17:55 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: incorrect documentation about loading CA certificates by nickname when using curl program with NSS Consequence: incorrect documentation Fix: update the documentation about loading CA certificates with NSS Result: correct documentation
Story Points:	---
Clone Of:	696783
Environment:
Last Closed:	2013-11-21 17:55:29 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
backport of upstream commit 11dde6ac (2.14 KB, patch) 2013-01-28 09:05 EST, Kamil Dudka	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1695	normal	SHIPPED_LIVE	man-pages-overrides bug fix and enhancement update	2013-11-20 16:52:14 EST

Groups: None (edit)

Description Kamil Dudka 2013-01-28 08:58:02 EST

+++ This bug was initially created as a clone of Bug #696783 +++

Trying to use curl with NSS to do client authentication against a cert-controlled webpage.

[ckannan@localhost test]$ echo $SSL_DIR
/home/ckannan/curl/test

[ckannan@localhost test]$ ls *.db
cert8.db  key3.db  secmod.db
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

testnick                                                     P,,  
OCSP Administrator of Instance pki-ocsp's pkisilentdomain ID u,u,u
TKS Administrator of Instance pki-tks's pkisilentdomain ID   u,u,u
mach1.idm.lab.bos.redhat.com                                 ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
wiki.idm.lab.bos.redhat.com                                  ,,   
GeoTrust SSL CA                                              ,,   
mach1.idm.lab.bos.redhat.com #2                              ,,   
Certificate Authority - pkisilentdomain                      CT,C,C
CA Administrator of Instance pki-ca's pkisilentdomain ID     u,u,u
KRA Administrator of Instance pki-kra's pkisilentdomain ID   u,u,u
RA Administrator's pkisilentdomain ID                        u,u,u
TPS Administrator's pkisilentdomain ID                       u,u,u
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ curl -v  --cert "CA Administrator of Instance pki-ca's pkisilentdomain ID" --cacert "Certificate Authority - pkisilentdomain" --data-urlencode "xmlOutput=true" --data-urlencode "reqCompleted=true" --data-urlencode "reqType=enrollment" --data-urlencode "maxCount=20" "https://mach1.idm.lab.bos.redhat.com:9443/ca/agent/ca/queryReq"
* About to connect() to mach1.idm.lab.bos.redhat.com port 9443 (#0)
*   Trying 10.16.96.53... connected
* Connected to mach1.idm.lab.bos.redhat.com (10.16.96.53) port 9443 (#0)
* Initializing NSS with certpath: /home/ckannan/curl/test
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
[ckannan@localhost test]$

--- Additional comment from Kamil Dudka on 2011-04-14 22:41:27 CEST ---

You cannot specify a CA certificate by nickname.

--- Additional comment from Kamil Dudka on 2013-01-28 14:36:46 CET ---

upstream commit:

https://github.com/bagder/curl/commit/11dde6ac

Comment 1 Kamil Dudka 2013-01-28 09:05:27 EST

Created attachment 688994 [details]
backport of upstream commit 11dde6ac

Comment 8 errata-xmlrpc 2013-11-21 17:55:29 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1695.html

Note You need to log in before you can comment on or make changes to this bug.