So following these instructions I found out that the certs are NOT revoked.
https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certifi...
The one thing I did find is that in Firefox if I uncheck "Query OCSP
responder servers to confirm the current validity of certificates".
Everything works.
Why thats a problem with firefox I'm not sure...I'm still looking into
it though...
On Fri, Oct 11, 2019 at 10:43 AM Kevin Vasko <kvasko(a)gmail.com> wrote:
>
> I'm 100% positive I did nothing with this cert.
>
> To validate, I spun up a brand new machine completely from scratch.
>
> 1. ran yum update
> 2. installed Gnome
> 3. installed ipa with my normal "sudo ipa-client-install
> --domain=exaple.com --realm=EXAMPLE.COM --enable-dns-updates
> --mkhomedir"
> 4. started Gnome with "startx"
> 5. Went to URL with Firefox, firefox errored with the
> "SEC_ERROR_REVOKED_CERTIFICATE"
> 6. installed chrome
> 7. went to same URL with Chrome, chrome works.
>
> LSB Version: :core-4.1-amd64:core-4.1-noarch
> Distributor ID: CentOS
> Description: CentOS Linux release 7.7.1908 (Core)
> Release: 7.7.1908
> Codename: Core
> Linux
testmachine.example.com 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon
> Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
> firefox.x86_64 60.9.0-1.el7.centos @updates
> ipa-client.x86_64 4.6.5-11.el7.centos @base
> ipa-client-common.noarch 4.6.5-11.el7.centos @base
> ipa-common.noarch 4.6.5-11.el7.centos @base
> chrome-gnome-shell.x86_64 10.1-4.el7 @base
> google-chrome-stable.x86_64 77.0.3865.120-1
> @google-chrome
>
> How can I validate the certificate?
>
> On Fri, Oct 11, 2019 at 12:11 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> >
> > On to, 10 loka 2019, Kevin Vasko wrote:
> > >So I went back and read, reread, studied what you wrote and I think I’m
> > >following you. I’m really unfamiliar with certs and the tools around it
> > >so forgive the ignorance.
> > >
> > >So what I ended up doing is spinning up a CentOS7 VM and installing
> > >everything on it, adding it to the FreeIPA realm etc. and followed your
> > >instructions/email.
> > >
> > >I ran the
> > >
> > >modutil -dbdir sql:./mozilla/firefox/9zd63dro.default/ -list
> > >
> > >It returns the list of the PKCS #11 Modules like I listed in my
> > >previous email. However, it only showed a single item “NSS Internal
> > >PKCS #11 Module”.
> > >
> > >To look at what keys it had I ran
> > >
> > >certutil -d sql:./mozilla/firefox/9zd63dro.default/ -h “NSS Internal PKCS
#11” -L
> > >
> > >This seemed like it returned all of the system wide certs. Including my
> > >self signed internal lan cert from freeipa. Should it have? That’s
> > >where I’m getting confused with your comment in your email when you
> > >mentioned the p11-kit-proxy and where it’s coming from, how it was
> > >added (if needed) as you said it was providing all of the system wide
> > >certs?
> > >
> > >At this point this is where things took a detour and I think it’s part
> > >of my confusion, which I think is unrelated, but I was using Firefox,
> > >all of the certs are there in the system based on the commands you
> > >showed. However, every time i would visit my http server Firefox would
> > >throw a
> > >
> > >SEC_ERROR_REVOKED_CERTIFICATE
> > >
> > >I pulled my hair out for 2 hours, deleting the .mozilla folder,
> > >recreating it, looking at certs, trying to manually copy certs into the
> > >cert db etc.
> > >
> > >Until I got fed up and tried Chrome...i downloaded chrome installed it
> > >ran it, checked the certs db looked at the certs and verified my
> > >internal cert was listed just like firefox. I visited the http server
> > >in chrome and it worked perfectly. No changes, which I believe is what
> > >you would expect.
> > >
> > >I then went and tried the same thing on Ubuntu. I know you mentioned
> > >that I have to add the certs manually as Ubuntu doesn’t have the same
> > >functionality. So I just manually added my ipa.crt to firefox and then
> > >got a
> > >
> > >SEC_ERROR_REVOKED_CERTIFICATE
> > >
> > >installed chrome on ubuntu machine and manually imported the ipa.crt
> > >into chrome, went to the http and chrome worked fine.
> > >
> > >So now I have no idea where I’m getting this
> > >
> > >SEC_ERROR_REVOKED_CERTIFICATE
> > >
> > >So now on a freeipa realm joined host. It seems that
> > >
> > >CentOS7 -
> > >Firefox gets a - SEC_ERROR_REVOKED_CERTIFICATE
> > >Chrome -
> > >Works out of the box
> > >
> > >Ubuntu 18.04 -
> > >Firefox gets after manually adding cert- SEC_ERROR_REVOKED_CERTIFICATE
> > >Chrome - works after manually adding the ipa.ca cert through GUI.
> > >
> > >Is there some obvious reason why firefox would throw that error message
> > >but Chrome wouldn’t?
> > >
> > >This stuff is making my head spin.
> >
> > For that host certificate Firefox thinks it is revoked by its issuer.
> > Did you fiddle with the certificates? Perhaps, it would be easier to
> > find out what certificate is that and check its status in IPA or whoever
> > issued it?
> >
> >
> > --
> > / Alexander Bokovoy
> > Sr. Principal Software Engineer
> > Security / Identity Management Engineering
> > Red Hat Limited, Finland