On to, 10 loka 2019, Kevin Vasko wrote:
So I went back and read, reread, studied what you wrote and I think
I’m
following you. I’m really unfamiliar with certs and the tools around it
so forgive the ignorance.
So what I ended up doing is spinning up a CentOS7 VM and installing
everything on it, adding it to the FreeIPA realm etc. and followed your
instructions/email.
I ran the
modutil -dbdir sql:./mozilla/firefox/9zd63dro.default/ -list
It returns the list of the PKCS #11 Modules like I listed in my
previous email. However, it only showed a single item “NSS Internal
PKCS #11 Module”.
To look at what keys it had I ran
certutil -d sql:./mozilla/firefox/9zd63dro.default/ -h “NSS Internal PKCS #11” -L
This seemed like it returned all of the system wide certs. Including my
self signed internal lan cert from freeipa. Should it have? That’s
where I’m getting confused with your comment in your email when you
mentioned the p11-kit-proxy and where it’s coming from, how it was
added (if needed) as you said it was providing all of the system wide
certs?
At this point this is where things took a detour and I think it’s part
of my confusion, which I think is unrelated, but I was using Firefox,
all of the certs are there in the system based on the commands you
showed. However, every time i would visit my http server Firefox would
throw a
SEC_ERROR_REVOKED_CERTIFICATE
I pulled my hair out for 2 hours, deleting the .mozilla folder,
recreating it, looking at certs, trying to manually copy certs into the
cert db etc.
Until I got fed up and tried Chrome...i downloaded chrome installed it
ran it, checked the certs db looked at the certs and verified my
internal cert was listed just like firefox. I visited the http server
in chrome and it worked perfectly. No changes, which I believe is what
you would expect.
I then went and tried the same thing on Ubuntu. I know you mentioned
that I have to add the certs manually as Ubuntu doesn’t have the same
functionality. So I just manually added my ipa.crt to firefox and then
got a
SEC_ERROR_REVOKED_CERTIFICATE
installed chrome on ubuntu machine and manually imported the ipa.crt
into chrome, went to the http and chrome worked fine.
So now I have no idea where I’m getting this
SEC_ERROR_REVOKED_CERTIFICATE
So now on a freeipa realm joined host. It seems that
CentOS7 -
Firefox gets a - SEC_ERROR_REVOKED_CERTIFICATE
Chrome -
Works out of the box
Ubuntu 18.04 -
Firefox gets after manually adding cert- SEC_ERROR_REVOKED_CERTIFICATE
Chrome - works after manually adding the ipa.ca cert through GUI.
Is there some obvious reason why firefox would throw that error message
but Chrome wouldn’t?
This stuff is making my head spin.
For that host certificate Firefox thinks it is revoked by its issuer.
Did you fiddle with the certificates? Perhaps, it would be easier to
find out what certificate is that and check its status in IPA or whoever
issued it?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland