#5956 ocsp responer url should aways contain ipa-ca hostname instead of master hostnames.
Closed: Fixed None Opened 7 years ago by tscherf.

Service certificates installed during IPA setup:

# certutil -d /etc/dirsrv/slapd-VIRT-TUXGEEK-DE/ -L -n "Server-Cert" -a|openssl x509 -noout -ocsp_uri
http://ipa-ca.virt.tuxgeek.de/ca/ocsp

# certutil -d /etc/httpd/alias/ -L -n "Server-Cert" -a|openssl x509 -noout -ocsp_uri
http://ipa-ca.virt.tuxgeek.de/ca/ocsp

All other certificates have a different ocsp responder url.

IPA CA certificate installed during IPA setup:

# certutil -d /etc/dirsrv/slapd-VIRT-TUXGEEK-DE/ -L -n "VIRT.TUXGEEK.DE IPA CA" -a|openssl x509 -noout -ocsp_uri
http://fed02.virt.tuxgeek.de:80/ca/ocsp

Service certificate requested manually using caIPAserviceCert profile:

# openssl x509 -in /tmp/certs/server.crt -noout -ocsp_uri
http://fed02.virt.tuxgeek.de:80/ca/ocsp

User certificate requested manually using custom profile which is more or less
identical to the caIPAserviceCert profile. Basically only exKeyUsageOIDs differ
between those two profiles:

# openssl x509 -in tscherf.crt -noout -ocsp_uri
http://fed02.virt.tuxgeek.de:80/ca/ocsp

# ipa dnsrecord-show virt.tuxgeek.de ipa-ca
 Record name: ipa-ca
 A record: 192.168.122.160, 192.168.122.150

Basically the ipa-ca hostname is only used for service certificates issued at IPA install time. All certificates issued afterwards use the first master hostname in the ocsp url.

For the CA certificate related part, the following ticket might be related:

https://fedorahosted.org/freeipa/ticket/3466


For certificates, with the caIPAserviceCert profile,
is this not a case of #5881?

For custom profiles, Dogtag will put into the certificate whatever is
defined in the profile. I guess the customer copied the caIPAserviceCert
profile at a time when it was incorrect.

For the CA certificates, this is (as far as I can tell) not a regression,
and something that will take a fair bit of work to address. I would
agree that it is related to / in scope of #3466.

Fraser, the custom profile is based on the caIPAserviceCert profile. Only OIDs for EKU have been adjusted. The profile has been created on a fresh F23 installation, with latest freeipa package. What do you mean with "[...] copied the caIPAserviceCert profile at a time when it was incorrect."?

Thorsten, I mean that if the caIPAservice had the incorrect OCSP URI due to
a manifestation of #5881, then creating a new profile based on that (bad)
config would also have the same OCSP problems. Is there only a single
IPA server in the topology, or are there multiple replicating masters?

Could you provide a copy of the affected profile configuration (either
caIPAserviceCert, or the custom profile, or both)?

For other readers, this is the full list of certs on a replica with CA. Reproduced with master from last week.

# certutil -d /etc/pki/pki-tomcat/alias/ -L -n "ocspSigningCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri
http://ipa1.example.test:80/ca/ocsp

# certutil -d /etc/pki/pki-tomcat/alias/ -L -n "subsystemCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri
http://ipa1.example.test:80/ca/ocsp

# certutil -d /etc/pki/pki-tomcat/alias/ -L -n "caSigningCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri
http://ipa1.example.test:80/ca/ocsp

# certutil -d /etc/pki/pki-tomcat/alias/ -L -n "auditSigningCert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri
http://ipa1.example.test:80/ca/ocsp

# certutil -d /etc/httpd/alias/ -L -n "ipaCert" -a | openssl x509 -noout -ocsp_uri
http://ipa1.example.test:80/ca/ocsp

# certutil -d /etc/pki/pki-tomcat/alias/ -L -n "Server-Cert cert-pki-ca" -a | openssl x509 -noout -ocsp_uri
http://ipa1.example.test:80/ca/ocsp



# certutil -d /etc/httpd/alias/ -L -n "Server-Cert" -a | openssl x509 -noout -ocsp_uri
http://ipa-ca.example.test/ca/ocsp

# certutil -d /etc/dirsrv/slapd-EXAMPLE-TEST/ -L -n "Server-Cert" -a | openssl x509 -noout -ocsp_uri
http://ipa-ca.example.test/ca/ocsp

Hi Fraser,

see here what I did on my test system.

# rpm -q freeipa-server
freeipa-server-4.2.4-1.fc23.x86_64

# mkdir /tmp/certs
# chcon -t cert_t /tmp/certs
# ipa-getcert request -f /tmp/certs/server.crt /tmp/certs/server.key -T caIPAserviceCert
New signing request "20160621110617" added.

# openssl x509 -in /tmp/certs/server.crt -noout -ocsp_uri 
http://fed01.virt.tuxgeek.de:80/ca/ocsp

I use the default caIPAserviceCert profile that comes with freeipa-server-4.2.4-1. I need to check if this changed in master in the meantime.

# locate caIPAserviceCert.cfg|xargs grep ocsp
/usr/share/ipa/profiles/caIPAserviceCert.cfg:policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http//$IPA_CA_RECORD.$DOMAIN/ca/ocsp

In the profile that is used by IPA, the ocsp_responder URL doesn't seem to be customized though:

# ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg
# grep ocsp caIPAserviceCert.cfg
#

Thorston, the symptoms described are very much those of #5881. There has not
been a release on the ipa-4-2 branch after the fix for #5881 was merged.
Seeing the full config as yielded by certprofile-show will either strengthen
my case or blow it out of the water :)

Other certificates mentioned in this ticket, e.g. Dogtag subsystem certs,
use other profiles shipped with Dogtag, not caIPAserviceCert. The issue
should be fixed but it is not a regression.

I've added the default profile I used to create the service certificates after installation time.

Thanks Thorsten; that pretty much confirms that that is #5881.

The scope of this ticket now reduces to fixing the other issue (CA
subsystem certs, etc).

Should be implemented as one the first items in 4.4.1.

master:

  • 45daffa Set default OCSP URI on install and upgrade

The dogtag part is included in Dogtag 10.3.3-3 therefore lowering dep.

master:

  • 49389ed spec: require Dogtag >= 10.3.3-3

Metadata Update from @tscherf:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.1

6 years ago

Login to comment on this ticket.

Metadata