freeipa

Clone
Source Code
GIT

#7158 Unable to export PKCS #12 file: java.io.IOException: IssuerAlternativeNameExtension: netscape.security.x509.GeneralNamesException: No data available in passed DER encoded value
Closed: invalid 6 years ago Opened 6 years ago by gabrielstein.

Closed: invalid
Reopen Issue

Hi All!

I'm trying to create a setup, ipa1(master) and ipa2(replica). I just added a self-signed certificate on master using the instructions from URL: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Servers(both)

Distro: CentOS
Version: 7.4.1708 (Core)

rpm output

ipa1 master

#rpm -qa | grep ipa
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
ipa-common-4.5.0-21.el7.centos.1.2.noarch
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
sssd-ipa-1.15.2-50.el7_4.2.x86_64
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
ipa-client-4.5.0-21.el7.centos.1.2.x86_64
ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
libipa_hbac-1.15.2-50.el7_4.2.x86_64
python-iniparse-0.4-9.el7.noarch
python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch

ipa2 replica

# rpm -qa | grep ipa
libipa_hbac-1.15.2-50.el7_4.2.x86_64
python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
ipa-client-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
python-iniparse-0.4-9.el7.noarch
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
ipa-common-4.5.0-21.el7.centos.1.2.noarch
sssd-ipa-1.15.2-50.el7_4.2.x86_64
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
ipa-client-common-4.5.0-21.el7.centos.1.2.noarch

Scenario

I just installed ipa-server on ipa1 without DNS(I have an external DNS already) and as the version from freeipa is 4.5.x and the domain level 1, I can't use the prepare anymore, I installed the client on ipa2 replica and used ipa-replica-install --setup-ca

Logs

/var/log/ipareplica--install.log

2017-09-18T12:50:29Z DEBUG stderr=
2017-09-18T12:50:29Z DEBUG Starting external process
2017-09-18T12:50:29Z DEBUG args=/usr/bin/certutil -d /tmp/tmpYPFuns -A -n <DOMAIN-EDITED> IPA CA -t CT,C,C -f /tmp/tmpYPFuns/pwdfile.txt
2017-09-18T12:50:29Z DEBUG Process finished, return code=0
2017-09-18T12:50:29Z DEBUG stdout=
2017-09-18T12:50:29Z DEBUG stderr=
2017-09-18T12:50:29Z DEBUG Starting external process
2017-09-18T12:50:29Z DEBUG args=/usr/bin/certutil -d /tmp/tmpYPFuns -A -n <NICKNAME> -t C,, -f /tmp/tmpYPFuns/pwdfile.txt
2017-09-18T12:50:29Z DEBUG Process finished, return code=0
2017-09-18T12:50:29Z DEBUG stdout=
2017-09-18T12:50:29Z DEBUG stderr=
2017-09-18T12:50:29Z DEBUG Starting external process
2017-09-18T12:50:29Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpYPFuns -p /tmp/tmpYPFuns/pwdfile.txt -w /tmp/tmpYPFuns/crtpwfile -o /tmp/tmp6aSoiJipa/cacert.p12
2017-09-18T12:50:29Z DEBUG Process finished, return code=1
2017-09-18T12:50:29Z DEBUG stdout=
2017-09-18T12:50:29Z DEBUG stderr=SCHWERWIEGEND: Unable to export PKCS #12 file: java.io.IOException: IssuerAlternativeNameExtension: netscape.security.x509.GeneralNamesException: No data available in passed DER encoded value.

2017-09-18T12:50:29Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute
    for _nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main
    replica_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1461, in install
    ca.install(False, config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install
    install_step_0(standalone, replica_config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 246, in install_step_0
    replica_config.dirman_password)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 208, in get_ca_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 196, in __get_keys
    '-o', cacerts_file])
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))

2017-09-18T12:50:29Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/PKCS12Export -d /tmp/tmpYPFuns -p /tmp/tmpYPFuns/pwdfile.txt -w /tmp/tmpYPFuns/crtpwfile -o /tmp/tmp6aSoiJipa/cacert.p12' returned non-zero exit status 1
2017-09-18T12:50:29Z ERROR Command '/usr/bin/PKCS12Export -d /tmp/tmpYPFuns -p /tmp/tmpYPFuns/pwdfile.txt -w /tmp/tmpYPFuns/crtpwfile -o /tmp/tmp6aSoiJipa/cacert.p12' returned non-zero exit status 1
2017-09-18T12:50:29Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

When I check the files on /tmp, nothing there.

Questions

  • How can I install the replica successfully?
  • Should I do an additional step on certificate installation on master?
  • Can I reset the certificates on master and try it again?
  • Or I will need to reinstall everything again?
  • Do you need more logs?

TIA.

Gab

Hi Gabriel,

Thanks for the detailed report. Did you deploy FreeIPA with the --external-ca option?
Would you be able to provide a copy of the CA certificate for inspection? (Feel free to email
me directly if you prefer not to attach it to the ticket).

No, I installed the certificates after the installation.

# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
# ipa-server-certinstall -w -d mysite.key mysite.crt
# systemctl restart httpd.service
# systemctl restart dirsrv@MY-REALM.servic

Yes, I would do it, where I can send it?
Edited 6 years ago by gabrielstein

@gabrielstein my email address is ftweedal@redhat.com.

@gabrielstein the problem is that your CA certificate has an empty Issuer Alternative Name
extension. Issuer Alt Name value is defined by RFC 5280 as:

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

But yours is an empty sequence, therefore the certificate is malformed. The FreeIPA master
handles this OK, but the /usr/bin/PKCS12Export program, which is used during
replica installation, does not.

You should re-issue the CA certificate either without this extension, or with at least one
issuer alt name. Use the same key, subject key identifier and Subject DN so that it will
be regarded as the same CA and you will not need to re-issue any other certificates.
Then you can import it using ipa-cacert-manage install and execute ipa-certupdate.

After that, hopefully the replica installation will work!

Hi!

Thanks a lot!

I'm going on vacation now and I will test it on the beginning from October, I will use this time to think if it is better to change the CA or even create a new with SHA256/SHA512 and do it from beginning right.

All the best to down under!

Gabriel

@gabrielstein you can re-issue the CA cert with a new signature digest algorithm and
it is still "the same CA". Only if you change the Subject DN, Subject Public Key Info or
Subject Key Identitifer will things get complicated.

Enjoy your vacation and try not to spend too much time thinking about work :)

@ftweedal Hello!

Well, I'm back. It's hard to not thing about Problems being a Sysadmin. :)

I looked at my CA and after a analyse, I decided to make it new, because there another problems behind, like the maintainance(create/renew/revoke).

I will leave the old servers using the old CA and migrate it along the way.

My solution:

I installed a Datadog Instance to create the external certificates for Freeipa, and I would use Freeipa as a CA too(yes, I know, Freeipa includes Datadog).

The installation from both Freeipa worked perfectly, replication too.

I have some questions:

  • Should I use Freeipa as a CA too? Or I use only main Datadog Server to do that?

  • Can I use Datadog/Freeipa to manage E-Mail(MIME) Certificates too?

Thanks a lot!

All the best!

Gabriel

@gabrielstein hi.

Should you use the FreeIPA CA or Dogtag? It is better to think about it this way: what does
Dogtag offer that FreeIPA does not? Right now, the answer mostly boils down to: HSM, token processing, and more control over issuance workflow (e.g. request queues, agent roles, ability to issue certs to abitrary subject rather than only known principals in the FreeIPA DB, etc).

If you only want to issue certs to services/hosts/users recorded in FreeIPA, and you do not need HSM, then the FreeIPA CA will meet your needs.

Yes, you can issue S/MIME certificates with FreeIPA - you just need to create a custom profile to set the appropriate Extended Key Usage values, etc.

Based on our earlier discussion are you happy for me to close out this issue? You can direct any further questions to the freeipa-users@lists.fedorahosted.org mailing list.

Hi @ftweedal

Yes, you can close the issue. I will subscribe the maillist and I you ask there.

Thanks a lot!

Metadata Update from @ftweedal:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.