6:44 a.m.
Hello,
we have an issue with resubmitting several certificates.
We suspect the reason might be the encoding mismatch between the certificate and the CA
certificate.
Our environment was upgraded during the years from some 3.x version to current 4.5.4. So
the very first CA certificate was encoded in PRINTABLESTRING.
Issuer:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
Validity
Not Before: Dec 1 14:14:37 2014 GMT
Not After : Dec 1 14:14:37 2034 GMT
Subject:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and after we renewed
again, so now we have:
Issuer:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
Validity
Not Before: Oct 9 07:34:24 2017 GMT
Not After : Oct 9 07:34:24 2037 GMT
Subject:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
And most certificated were renewed fine.
However, recently we noticed that several certificated can't be resubmitted, all of
them seem to be like this:
Issuer:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate Authority
Validity
Not Before: Nov 24 12:17:12 2016 GMT
Not After : Nov 14 12:17:12 2018 GMT
Subject:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:ipa07.example.com
The error when resubmitting is:
Peer certificate cannot be authenticated with given CA certificates. The tcpdump from 8443
says Unknown CA.
Is the assumption that the encoding mismatch is blocking the submitting certificate
correct?
One of the certificate which we also can't renew is the 'IPA RA'
(/var/lib/ipa/ra-agent.pem)
What we tried:
Add all versions of CA certificate to /etc/pki/pki-tomcat/alias trust store (also add
them one-by-one)
Setting date back before the expiration.
Advises from:
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...
Deleting the related CSR from o=ipaca, supposing that newly generated csr will be fine.
Any suggestions what else we could try?
Thanks
Petr
10:13 a.m.
New subject: Peer certificate cannot be authenticated with given CA certificates
Hi Petr,
I was asked to take a look at this issue. I wanted to know if, in parallel,
there is a customer case open in redhat portal.
If not, could you provide the /var/log/pki-tomcat/ca/debug log file and the
timestamp of resubmission ?
I would not change manually the cert db's under /etc/pki/pki-tomcat/alias
not delete or recreate any object under o=ipaca, as possible. If you have
backups, please restore to original ones.
I know about issues with certificate encoding. In general, the error I use
to see is a little bit different like "error -8179:Peer's Certificate
issuer is not recognized".
It could be interesting to check your certificates in cert db once date has
been set back by doing:
certutil -V -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -u O
certutil -V -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -u C
certutil -V -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -u V
certutil -V -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -u J
certutil -V -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -u L
that is more or less where our selftests are doing for PKI component.
Thanks and regards,
German.
On Fri, Jan 4, 2019 at 1:44 PM Petr Benas via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hello,
we have an issue with resubmitting several certificates.
We suspect the reason might be the encoding mismatch between the
certificate and the CA certificate.
Our environment was upgraded during the years from some 3.x version to
current 4.5.4. So the very first CA certificate was encoded in
PRINTABLESTRING.
Issuer:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate
Authority
Validity
Not Before: Dec 1 14:14:37 2014 GMT
Not After : Dec 1 14:14:37 2034 GMT
Subject:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate
Authority
When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and
after we renewed again, so now we have:
Issuer:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
Validity
Not Before: Oct 9 07:34:24 2017 GMT
Not After : Oct 9 07:34:24 2037 GMT
Subject:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:Certificate Authority
And most certificated were renewed fine.
However, recently we noticed that several certificated can't be
resubmitted, all of them seem to be like this:
Issuer:
organizationName = PRINTABLESTRING:EXAMPLE.COM
commonName = PRINTABLESTRING:Certificate
Authority
Validity
Not Before: Nov 24 12:17:12 2016 GMT
Not After : Nov 14 12:17:12 2018 GMT
Subject:
organizationName = UTF8STRING:EXAMPLE.COM
commonName = UTF8STRING:ipa07.example.com
The error when resubmitting is:
Peer certificate cannot be authenticated with given CA certificates. The
tcpdump from 8443 says Unknown CA.
Is the assumption that the encoding mismatch is blocking the submitting
certificate correct?
One of the certificate which we also can't renew is the 'IPA RA'
(/var/lib/ipa/ra-agent.pem)
What we tried:
Add all versions of CA certificate to /etc/pki/pki-tomcat/alias
trust store (also add them one-by-one)
Setting date back before the expiration.
Advises from:
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...
Deleting the related CSR from o=ipaca, supposing that newly
generated csr will be fine.
Any suggestions what else we could try?
Thanks
Petr
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
2:30 a.m.
New subject: Peer certificate cannot be authenticated with given CA certificates
It looks like my response got posted as a new thread
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1926
days inactive
1936
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
German Parente -
Petr Benas