On pe, 11 loka 2019, Kevin Vasko wrote:
So following these instructions I found out that the certs are NOT
revoked.
https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certifi...
The one thing I did find is that in Firefox if I uncheck "Query OCSP
responder servers to confirm the current validity of certificates".
Everything works.
Why thats a problem with firefox I'm not sure...I'm still looking into
it though...
As I said, look at the CA that issued that certificate. If it is
marked
as revoked, it would be present in OCSP and also in CA logs *why* it is
revoked.
If this certificate is issued by IPA CA, go to Web UI, Authentication
tab, Certificates, and search there for the certificate serial number
and subject. See the status of it.
On Fri, Oct 11, 2019 at 10:43 AM Kevin Vasko <kvasko(a)gmail.com> wrote:
>
> I'm 100% positive I did nothing with this cert.
>
> To validate, I spun up a brand new machine completely from scratch.
>
> 1. ran yum update
> 2. installed Gnome
> 3. installed ipa with my normal "sudo ipa-client-install
> --domain=exaple.com --realm=EXAMPLE.COM --enable-dns-updates
> --mkhomedir"
> 4. started Gnome with "startx"
> 5. Went to URL with Firefox, firefox errored with the
> "SEC_ERROR_REVOKED_CERTIFICATE"
> 6. installed chrome
> 7. went to same URL with Chrome, chrome works.
>
> LSB Version: :core-4.1-amd64:core-4.1-noarch
> Distributor ID: CentOS
> Description: CentOS Linux release 7.7.1908 (Core)
> Release: 7.7.1908
> Codename: Core
> Linux
testmachine.example.com 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon
> Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
> firefox.x86_64 60.9.0-1.el7.centos @updates
> ipa-client.x86_64 4.6.5-11.el7.centos @base
> ipa-client-common.noarch 4.6.5-11.el7.centos @base
> ipa-common.noarch 4.6.5-11.el7.centos @base
> chrome-gnome-shell.x86_64 10.1-4.el7 @base
> google-chrome-stable.x86_64 77.0.3865.120-1
> @google-chrome
>
> How can I validate the certificate?
>
> On Fri, Oct 11, 2019 at 12:11 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> >
> > On to, 10 loka 2019, Kevin Vasko wrote:
> > >So I went back and read, reread, studied what you wrote and I think I’m
> > >following you. I’m really unfamiliar with certs and the tools around it
> > >so forgive the ignorance.
> > >
> > >So what I ended up doing is spinning up a CentOS7 VM and installing
> > >everything on it, adding it to the FreeIPA realm etc. and followed your
> > >instructions/email.
> > >
> > >I ran the
> > >
> > >modutil -dbdir sql:./mozilla/firefox/9zd63dro.default/ -list
> > >
> > >It returns the list of the PKCS #11 Modules like I listed in my
> > >previous email. However, it only showed a single item “NSS Internal
> > >PKCS #11 Module”.
> > >
> > >To look at what keys it had I ran
> > >
> > >certutil -d sql:./mozilla/firefox/9zd63dro.default/ -h “NSS Internal PKCS
#11” -L
> > >
> > >This seemed like it returned all of the system wide certs. Including my
> > >self signed internal lan cert from freeipa. Should it have? That’s
> > >where I’m getting confused with your comment in your email when you
> > >mentioned the p11-kit-proxy and where it’s coming from, how it was
> > >added (if needed) as you said it was providing all of the system wide
> > >certs?
> > >
> > >At this point this is where things took a detour and I think it’s part
> > >of my confusion, which I think is unrelated, but I was using Firefox,
> > >all of the certs are there in the system based on the commands you
> > >showed. However, every time i would visit my http server Firefox would
> > >throw a
> > >
> > >SEC_ERROR_REVOKED_CERTIFICATE
> > >
> > >I pulled my hair out for 2 hours, deleting the .mozilla folder,
> > >recreating it, looking at certs, trying to manually copy certs into the
> > >cert db etc.
> > >
> > >Until I got fed up and tried Chrome...i downloaded chrome installed it
> > >ran it, checked the certs db looked at the certs and verified my
> > >internal cert was listed just like firefox. I visited the http server
> > >in chrome and it worked perfectly. No changes, which I believe is what
> > >you would expect.
> > >
> > >I then went and tried the same thing on Ubuntu. I know you mentioned
> > >that I have to add the certs manually as Ubuntu doesn’t have the same
> > >functionality. So I just manually added my ipa.crt to firefox and then
> > >got a
> > >
> > >SEC_ERROR_REVOKED_CERTIFICATE
> > >
> > >installed chrome on ubuntu machine and manually imported the ipa.crt
> > >into chrome, went to the http and chrome worked fine.
> > >
> > >So now I have no idea where I’m getting this
> > >
> > >SEC_ERROR_REVOKED_CERTIFICATE
> > >
> > >So now on a freeipa realm joined host. It seems that
> > >
> > >CentOS7 -
> > >Firefox gets a - SEC_ERROR_REVOKED_CERTIFICATE
> > >Chrome -
> > >Works out of the box
> > >
> > >Ubuntu 18.04 -
> > >Firefox gets after manually adding cert- SEC_ERROR_REVOKED_CERTIFICATE
> > >Chrome - works after manually adding the ipa.ca cert through GUI.
> > >
> > >Is there some obvious reason why firefox would throw that error message
> > >but Chrome wouldn’t?
> > >
> > >This stuff is making my head spin.
> >
> > For that host certificate Firefox thinks it is revoked by its issuer.
> > Did you fiddle with the certificates? Perhaps, it would be easier to
> > find out what certificate is that and check its status in IPA or whoever
> > issued it?
> >
> >
> > --
> > / Alexander Bokovoy
> > Sr. Principal Software Engineer
> > Security / Identity Management Engineering
> > Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland