freeipa

Clone
Source Code
GIT

#7267 No SAN in certificate generated by Fedora 27
Closed: duplicate 6 years ago Opened 6 years ago by joob.

Closed: duplicate
Reopen Issue

pki-server-10.5.1-1.fc27.noarch
freeipa-server-4.6.1-3.fc27.x86_64

openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out server_req.csr

ipa cert-request server_req.csr --principal=HTTP/thehost.win.lan
ipa cert-show <serial id from above> --out=server_cert.csr

Shouldnt one get a DNS entry from below output:
[root@]# openssl x509 -in server_cert.csr -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 40 (0x28)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = WIN.LAN, CN = Certificate Authority
Validity
.....
Subject: O = WIN.LAN, CN = myhost.win.lan
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
.....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
..... 

        Authority Information Access:  
            OCSP - URI:http://ipa-ca.win.lan/ca/ocsp

        X509v3 Key Usage: critical 
            Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment 
        X509v3 Extended Key Usage:  
            TLS Web Server Authentication, TLS Web Client Authentication 
        X509v3 CRL Distribution Points:

            Full Name: 
              URI:http://ipa-ca.win.lan/ipa/crl/MasterCRL.bin 
            CRL Issuer: 
              DirName:O = ipaca, CN = Certificate Authority

        X509v3 Subject Key Identifier:  
            ..... 
Signature Algorithm: sha256WithRSAEncryption 
            .....

It looks like while upgrade code handles adding new profiles, it does not handle updating default profiles that already exist in LDAP. I'm not sure this is wrong or incorrect because a profile in LDAP could already be modified by an admin to include some specific parameters.

You can upgrade your own caIPAserviceCert profile by

  1. Save current profile: ipa certprofile-show caIPAserviceCert --out caIPAserviceCert-current.profile
  2. compare it with /usr/share/ipa/profiles/caIPAserviceCert.cfg. Merge changes if needed or just use the default one.
  3. Load a resulting profile: either default one from /usr/share/ipa/profiles: ipa certprofile-mod caIPAserviceCert --file=/usr/share/ipa/profiles/caIPAserviceCert.cfg or from a merged file.

One more thing -- it looks like the change to add SAN dNS entry in the default profile did not extend to cover upgrade profile in 1a35a2e. This is definitely a bug as caIPAserviceCert.UPGRADE.cfg should be kept in sync.

ok, I copied the default profile using ipa certprofile-mod caIPAserviceCert --file=/usr/share/ipa/profiles/caIPAserviceCert.cfg

After that I rerun

ipa cert-request server_req.csr --principal=HTTP/thehost.win.lan

ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. String index out of range: -1

[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10: signature verification enabled
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 setting thread token
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 restoring thread token
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Repository: in getNextSerialNumber.
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Repository: checkRange mLastSerialNo=49
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Repository: getNextSerialNumber: returning retSerial 49
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: createEnrollmentRequest 49
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: request from RA: ipara
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: profileSetid=serverCertSet
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: request 49
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertProcessor: populating request inputs
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertReqInput: populate: begins
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: CertReqInput: populate: cert_request_type= REQ_TYPE_PKCS10
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: Start parsePKCS10(): -----BEGIN CERTIFICATE REQUEST-----
..<snip>.
-----END CERTIFICATE REQUEST-----

[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10: signature verification enabled
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 setting thread token
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: parsePKCS10 restoring thread token
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: fillPKCS10: begins
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: fillPKCS10: PKCS10 no extension found
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: fillPKCS10: Finish parsePKCS10 - CN=thehost.win.lan,O=Default Company Ltd,L=Default City,ST=YYYYYY,C=XX
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollProfile: populate: begins
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: BasicProfile: populate: policy setid =serverCertSet
[15/nov/2017:22:14:33][ajp-nio-127.0.0.1-8009-exec-8]: EnrollDefault: populate: SubjectNameDefault: start
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1967)
at com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:132)
at com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:805)
at com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160)
at com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:225)
at com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1114)
at com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:2508)
at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:375)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:197)
at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:155)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:286)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:264)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: findNextUpdate: fromLastUpdate: true delta: false
[15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: findNextUpdate: Thu Nov 16 01:00:00 CET 2017 delay: 9899179
[15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: CRLIssuingPoint:run(): before CRL generation
[15/nov/2017:22:15:00][CRLIssuingPoint-MasterCRL]: In LdapBoundConnFactory::getConn()

@abbra the fact that caIPAserviceCert.UPGRADE.cfg is not in sync with caIPAserviceCert.cfg is not a bug. It is intended that the upgrade variant does not include newer components like CommonNameToSANDefault because there could be CA replicas at older versions in the topology. See commit 7995518 for more info.

@joob unfortunately the suggested resolution given by Alexander was not correct. The files under /usr/share/ipa/profiles are profile templates and can't be loaded in as-is. This is likely the cause of your error. Hopefully you saved the profile configuration of caIPAserviceCert before updating it with the template. If so, you should modify it according to the procedure outlined in this blog post: https://blog-ftweedal.rhcloud.com/2017/07/implications-of-common-name-deprecation-for-dogtag-and-freeipa/#configuring-commonnametosandefault. Then you can use ipa certprofile-mod to import the modified configuration, which now contains the CommonNameToSANDefault component.

@joob please let me know how you go and then hopefully we can close out this issue as a duplicate of https://pagure.io/freeipa/issue/4970.

@ftweedal, unfortunately I removed the saved profile configuration after setting up the default one.

OK @joob, here is how you must edit the profile template /usr/share/ipa/profiles/caIPAserviceCert.cfg so that it will work:

I. Replace line

policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O

with

policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=WIN.LAN

Especially note the replacement of occurrences of $$ with $.

II. Replace line

policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp

with

policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.win.lan/ca/ocsp

III. Replace line

policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER

with

policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca

IV. Replace line

policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin

with

policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.win.lan/ipa/crl/MasterCRL.bin

Awesome, now it's working again + I get SAN entry in certificate. Thanks a lot, really appreciate it!

@joob great, thanks. Closing this as duplicate.

Metadata Update from @ftweedal:
- Issue close_status updated to: duplicate
6 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.