pki-server-10.5.1-1.fc27.noarch freeipa-server-4.6.1-3.fc27.x86_64
openssl genrsa -out privkey.pem 2048 openssl req -new -key privkey.pem -out server_req.csr
ipa cert-request server_req.csr --principal=HTTP/thehost.win.lan ipa cert-show <serial id from above> --out=server_cert.csr
Shouldnt one get a DNS entry from below output: [root@]# openssl x509 -in server_cert.csr -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 40 (0x28) Signature Algorithm: sha256WithRSAEncryption Issuer: O = WIN.LAN, CN = Certificate Authority Validity ..... Subject: O = WIN.LAN, CN = myhost.win.lan Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ..... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: .....
Authority Information Access: OCSP - URI:http://ipa-ca.win.lan/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://ipa-ca.win.lan/ipa/crl/MasterCRL.bin CRL Issuer: DirName:O = ipaca, CN = Certificate Authority X509v3 Subject Key Identifier: ..... Signature Algorithm: sha256WithRSAEncryption .....
It looks like while upgrade code handles adding new profiles, it does not handle updating default profiles that already exist in LDAP. I'm not sure this is wrong or incorrect because a profile in LDAP could already be modified by an admin to include some specific parameters.
You can upgrade your own caIPAserviceCert profile by
One more thing -- it looks like the change to add SAN dNS entry in the default profile did not extend to cover upgrade profile in 1a35a2e. This is definitely a bug as caIPAserviceCert.UPGRADE.cfg should be kept in sync.
ok, I copied the default profile using ipa certprofile-mod caIPAserviceCert --file=/usr/share/ipa/profiles/caIPAserviceCert.cfg
After that I rerun
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10: signature verification enabled [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 setting thread token [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 restoring thread token [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Repository: in getNextSerialNumber. [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Repository: checkRange mLastSerialNo=49 [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Repository: getNextSerialNumber: returning retSerial 49 [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: createEnrollmentRequest 49 [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: request from RA: ipara [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: profileSetid=serverCertSet [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: request 49 [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: populating request inputs [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertReqInput: populate: begins [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertReqInput: populate: cert_request_type= REQ_TYPE_PKCS10 [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Start parsePKCS10(): -----BEGIN CERTIFICATE REQUEST----- ..<snip>. -----END CERTIFICATE REQUEST-----
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10: signature verification enabled [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 setting thread token [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 restoring thread token [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: fillPKCS10: begins [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: fillPKCS10: PKCS10 no extension found [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: fillPKCS10: Finish parsePKCS10 - CN=thehost.win.lan,O=Default Company Ltd,L=Default City,ST=YYYYYY,C=XX [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: populate: begins [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: BasicProfile: populate: policy setid =serverCertSet [15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollDefault: populate: SubjectNameDefault: start java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at java.lang.String.substring(String.java:1967) at com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:132) at com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:805) at com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160) at com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:225) at com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1114) at com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:2508) at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:375) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96) at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:197) at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:155) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:286) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:264) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false [15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: findNextUpdate: Thu Nov 16 01:00:00 CET 2017 delay: 9899179 [15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation [15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn()
@abbra the fact that caIPAserviceCert.UPGRADE.cfg is not in sync with caIPAserviceCert.cfg is not a bug. It is intended that the upgrade variant does not include newer components like CommonNameToSANDefault because there could be CA replicas at older versions in the topology. See commit 7995518 for more info.
caIPAserviceCert.UPGRADE.cfg
caIPAserviceCert.cfg
CommonNameToSANDefault
@joob unfortunately the suggested resolution given by Alexander was not correct. The files under /usr/share/ipa/profiles are profile templates and can't be loaded in as-is. This is likely the cause of your error. Hopefully you saved the profile configuration of caIPAserviceCert before updating it with the template. If so, you should modify it according to the procedure outlined in this blog post: https://blog-ftweedal.rhcloud.com/2017/07/implications-of-common-name-deprecation-for-dogtag-and-freeipa/#configuring-commonnametosandefault. Then you can use ipa certprofile-mod to import the modified configuration, which now contains the CommonNameToSANDefault component.
/usr/share/ipa/profiles
caIPAserviceCert
ipa certprofile-mod
@joob please let me know how you go and then hopefully we can close out this issue as a duplicate of https://pagure.io/freeipa/issue/4970.
@ftweedal, unfortunately I removed the saved profile configuration after setting up the default one.
OK @joob, here is how you must edit the profile template /usr/share/ipa/profiles/caIPAserviceCert.cfg so that it will work:
/usr/share/ipa/profiles/caIPAserviceCert.cfg
I. Replace line
policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
with
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=WIN.LAN
Especially note the replacement of occurrences of $$ with $.
$$
$
II. Replace line
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.win.lan/ca/ocsp
III. Replace line
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
IV. Replace line
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.win.lan/ipa/crl/MasterCRL.bin
Awesome, now it's working again + I get SAN entry in certificate. Thanks a lot, really appreciate it!
@joob great, thanks. Closing this as duplicate.
Metadata Update from @ftweedal: - Issue close_status updated to: duplicate
Log in to comment on this ticket.