Hello,
I'm trying to renew the CA certificate and I keep getting the error "CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com'". I have found some people complaining about DN encode mismatch during the renewal process, so I installed a test server and made sure the trustchain had PRINTABLESTRING encoding. No problem there, FreeIPA accepted the certificate and everything is working great, but when I try to renew it the error comes back: ============================================================================================== # ipa-cacert-manage renew --external-cert-file=ipaRenew.crt --external-cert-file=extCA.crt Importing the renewed CA certificate, please wait CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com' ==============================================================================================
Both the new certificate and the external CA cert have the PRINTABLESTRING encoding: ============================================================================================== # openssl x509 -in extCARenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= commonName = PRINTABLESTRING:pedroperdido.com issuer= commonName = PRINTABLESTRING:pedroperdido.com a5851e5b a5851e5b ============================================================================================== ============================================================================================== # openssl x509 -in ipaRenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= organizationName = PRINTABLESTRING:TESTCA.ETUX commonName = PRINTABLESTRING:Certificate Authority issuer= commonName = PRINTABLESTRING:pedroperdido.com 48a8b126 a5851e5b ==============================================================================================
And the certs I used during the installation also have PRINTABLESTRING encoding: ============================================================================================== # openssl x509 -in ipaInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= organizationName = PRINTABLESTRING:TESTCA.ETUX commonName = PRINTABLESTRING:Certificate Authority issuer= commonName = PRINTABLESTRING:pedroperdido.com 48a8b126 a5851e5b ============================================================================================== ============================================================================================== # openssl x509 -in extCAInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= commonName = PRINTABLESTRING:pedroperdido.com issuer= commonName = PRINTABLESTRING:pedroperdido.com a5851e5b a5851e5b ==============================================================================================
Also as you can see the CN is the same. Can someone please help me figuring out what seems to be the problem?
Some more info: FreeIPA, version: 4.6.4 OS: CentOS7
Pedro Perdido via FreeIPA-users wrote:
Hello,
I'm trying to renew the CA certificate and I keep getting the error "CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com'". I have found some people complaining about DN encode mismatch during the renewal process, so I installed a test server and made sure the trustchain had PRINTABLESTRING encoding. No problem there, FreeIPA accepted the certificate and everything is working great, but when I try to renew it the error comes back: ============================================================================================== # ipa-cacert-manage renew --external-cert-file=ipaRenew.crt --external-cert-file=extCA.crt Importing the renewed CA certificate, please wait CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com' ==============================================================================================
Both the new certificate and the external CA cert have the PRINTABLESTRING encoding:
# openssl x509 -in extCARenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= commonName = PRINTABLESTRING:pedroperdido.com issuer= commonName = PRINTABLESTRING:pedroperdido.com a5851e5b a5851e5b ============================================================================================== ============================================================================================== # openssl x509 -in ipaRenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= organizationName = PRINTABLESTRING:TESTCA.ETUX commonName = PRINTABLESTRING:Certificate Authority issuer= commonName = PRINTABLESTRING:pedroperdido.com 48a8b126 a5851e5b ==============================================================================================
And the certs I used during the installation also have PRINTABLESTRING encoding:
# openssl x509 -in ipaInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= organizationName = PRINTABLESTRING:TESTCA.ETUX commonName = PRINTABLESTRING:Certificate Authority issuer= commonName = PRINTABLESTRING:pedroperdido.com 48a8b126 a5851e5b ============================================================================================== ============================================================================================== # openssl x509 -in extCAInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= commonName = PRINTABLESTRING:pedroperdido.com issuer= commonName = PRINTABLESTRING:pedroperdido.com a5851e5b a5851e5b ==============================================================================================
Also as you can see the CN is the same. Can someone please help me figuring out what seems to be the problem?
Some more info: FreeIPA, version: 4.6.4 OS: CentOS7
How's your python?
It is failing in ipaserver/install/installutils.py in load_external_cert(). What it does is load all the certs into a temporary NSS database and then checks the chain. For some reason it isn't finding cn=pedroperdido.com.
It is probably worth it to stick a pdb in there to walk through it line by line to see what is going on, and to see what the contents of the temporary NSS database is (are all the certs even loaded, for example).
Or you can send us these files and we can try to duplicate the error.
rob
Hello Rob,
I just checked and all certs are being loaded into the temporary nssdb.
nssdb.list_certs() outputs: ================================================================================================== (('CN=Certificate Authority,O=TESTCA.ETUX', TrustFlags(has_key=False, trusted=None, ca=None, usages=frozenset([]))), ('CN=pedroperdido.com', TrustFlags(has_key=False, trusted=None, ca=None, usages=frozenset([])))) ==================================================================================================
but trust_chain = list(reversed(nssdb.get_trust_chain(ca_nickname))) a few lines down only contains: ======================================= ['CN=Certificate Authority,O=TESTCA.ETUX'] =======================================
freeipa-users@lists.fedorahosted.org