When installing with externally-signed IPA CA, we do not perform an explicit check that the current time is between the certificate's Not Before and Not After dates. This situation leads to installation failure. The Dogtag debug log indicates the error (see below) but this failure scenario should be detected with graceful failure.
2019-12-04 17:37:39 [main] SEVERE: CertUtils: verifySystemCertsByTag() failed: Invalid certificate caSigningCert cert-pki-ca: NotBefore: Thu Dec 05 06:54:33 IST 2019 java.lang.Exception: Invalid certificate caSigningCert cert-pki-ca: NotBefore: Thu Dec 05 06:54:33 IST 2019 at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:976) at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:1114) at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1237) ... 2019-12-04 17:37:41 [main] SEVERE: Servlet [castart] in web application [/ca] threw load() exception java.security.cert.CertificateNotYetValidException: NotBefore: Thu Dec 05 06:54:33 IST 2019 at org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(CertificateValidity.java:294) at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:485) at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:458) at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:971) at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:1114)
Update ipapython.certdb.verify_ca_cert_validity to check the Not Before / Not After dates and fail gracefully.
ipapython.certdb.verify_ca_cert_validity
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4004 - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.8.4
I added checks to CA and server cert checks. Installation now fails gracefully if any cert is not yet valid or will expire in less than an hour. The check makes sure that the cert won't expire in the middle of an installation.
master:
Apart from the ipa-4-8 backport, can we leave this issue open until we also have regression tests for both the not-yet-valid and expires-very-soon scenarios?
ipa-4-8
ipa-4-8:
I'm leaving the bug open because Fraser wants to improve tests.
Hi @ftweedal are the existing tests sufficient to close this ticket or do you want to add more extensive testing?
@frenaud I do want to add a test specifically for the not-yet-valid scenario. I will try and do that this week.
PR with not-yet-valid test: https://github.com/freeipa/freeipa/pull/4055.
PR-CI seems to be having a problem ; the integration test did not run (yet).
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.