#8142 check Not Before / Not After in externally signed CA sanity check
Closed: fixed 2 years ago by ftweedal. Opened 2 years ago by ftweedal.

Request for enhancement

When installing with externally-signed IPA CA, we do not perform an explicit check that the
current time is between the certificate's Not Before and Not After dates. This situation leads to installation failure. The Dogtag debug log indicates the error (see below) but this failure scenario should be detected with graceful failure.

2019-12-04 17:37:39 [main] SEVERE: CertUtils: verifySystemCertsByTag() failed: Invalid certificate caSigningCert cert-pki-ca: NotBefore: Thu Dec 05 06:54:33 IST 2019
java.lang.Exception: Invalid certificate caSigningCert cert-pki-ca: NotBefore: Thu Dec 05 06:54:33 IST 2019
    at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:976)
    at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:1114)
    at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1237)

...

2019-12-04 17:37:41 [main] SEVERE: Servlet [castart] in web application [/ca] threw load() exception
java.security.cert.CertificateNotYetValidException: NotBefore: Thu Dec 05 06:54:33 IST 2019
    at org.mozilla.jss.netscape.security.x509.CertificateValidity.valid(CertificateValidity.java:294)
    at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:485)
    at org.mozilla.jss.netscape.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:458)
    at com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:971)
    at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:1114)

Expected behavior

Update ipapython.certdb.verify_ca_cert_validity to check the Not Before / Not After
dates and fail gracefully.


Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4004
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.8.4

2 years ago

I added checks to CA and server cert checks. Installation now fails gracefully if any cert is not yet valid or will expire in less than an hour. The check makes sure that the cert won't expire in the middle of an installation.

master:

  • d30dd52 Check valid before/after of external certs

Apart from the ipa-4-8 backport, can we leave this issue open until we also have regression tests for both the not-yet-valid and expires-very-soon scenarios?

ipa-4-8:

  • 2fc5990 Check valid before/after of external certs

I'm leaving the bug open because Fraser wants to improve tests.

master:

  • 3d779b4 ipatests: assert_error: allow regexp match
  • c4b0cf4 Fix test regressions caused by certificate validation changes

ipa-4-8:

  • 44fca09 ipatests: assert_error: allow regexp match
  • d833b5b Fix test regressions caused by certificate validation changes

Hi @ftweedal
are the existing tests sufficient to close this ticket or do you want to add more extensive testing?

@frenaud I do want to add a test specifically for the not-yet-valid scenario. I will try and do that this week.

PR with not-yet-valid test: https://github.com/freeipa/freeipa/pull/4055.

PR-CI seems to be having a problem ; the integration test did not run (yet).

master:

  • 2a2cc96 ipatests: add test for certinstall with notBefore in the future

ipa-4-8:

  • 2531010 (HEAD) ipatests: add test for certinstall with notBefore in the future

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata