Hi Team,
I have a vulnerability on port 8443 reported by Nessus scanner
I have third-party certificate already installed at LDAP and Apache services
I have root and intermediate certificate also installed on pki-tomcat service as shown below
The certificate "caSigningCert cert-pki-ca" which is causing this vulnerability
Any Suggestions to overcome this issue?
[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' |egrep -i 'Issuer:|Subject:' Issuer: "CN=Certificate Authority,O=IPA.EXAMPLE.COM" Subject: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"
[root@aaa01 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-EXAMPLE-COM/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=*.IPA.EXAMPLE.COM u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C [root@aaa01 ~]# [root@aaa01 ~]#
[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
Scanning Report and Solution Given:
8443 SSL Certificate Cannot Be Trusted The SSL certificate for this service cannot be trusted. 8443 SSL Self-Signed Certificate "The SSL certificate chain for this service ends in an unrecognized self-signed certificate."
Solution:
Purchase or generate a proper SSL certificate for this service.
Regards Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have a vulnerability on port 8443 reported by Nessus scanner
I have third-party certificate already installed at LDAP and Apache services
I have root and intermediate certificate also installed on pki-tomcat service as shown below
The certificate caSigningCert cert-pki-ca which is causing this vulnerability
Any Suggestions to overcome this issue?
[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' |egrep -i 'Issuer:|Subject:'
Issuer: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"
Subject: "CN=Certificate Authority,O=IPA.EXAMPLE.COM"
[root@aaa01 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-EXAMPLE-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=*.IPA.EXAMPLE.COM u,u,u
IPA.EXAMPLE.COM IPA CA CT,C,C
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
[root@aaa01 ~]#
[root@aaa01 ~]#
[root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
Scanning Report and Solution Given:
8443 SSL Certificate Cannot Be Trusted The SSL certificate for this service cannot be trusted.
8443 SSL Self-Signed Certificate "The SSL certificate chain for this service ends in an unrecognized
self-signed certificate."
Solution:
Purchase or generate a proper SSL certificate for this service.
Scanners. There is nothing wrong with this CA cert. Self-signed doesn't have to mean "bad".
Nothing outside the IPA machine should even be able to talk to it so it's not a problem even if the CA cert were somehow bad, and it isn't.
You can ignore this.
rob
freeipa-users@lists.fedorahosted.org
-
Polavarapu Manideep Sai -
Rob Crittenden