On Wed, Mar 18, 2020 at 10:42:52AM -0000, Hristina Marosevic wrote:
Hi,
can you send the output of
ls -al /etc/pki/nssdb
and
certutil -L -d /etc/pki/nssdb -h all
bye, Sumit
Hello Sumit,
Somehow, today I didn't get any error when executing certutil command. In meanwhile I didn't do anything different, except for the sssd and sshd restart. Few days ago, I couldn't add nor list the existing certificates in the nssdb using certutil. Now, when this is working, I added the two CA certs in the chain of the user's public certificate. One is intermediate, and one is root CA. Too add the intermediate and root CA certs in the nssdb, I used der fomrats of the certificates and the following command for each one of them: certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d /etc/pki/nssdb
You asked me to list the nssdb directory. Here is the result: $ ls -al /etc/pki/nssdb total 132 drwxr-xr-x. 2 root root 4096 Mar 6 10:34 . drwxr-xr-x. 10 root root 4096 Jan 24 2019 .. -rw-r--r-- 1 root root 65536 Aug 7 2019 cert8.db -rw-r--r--. 1 root root 9216 Jan 24 2019 cert9.db -rw-r--r-- 1 root root 0 Mar 6 10:34 i#uiap -rw-r--r-- 1 root root 16384 Aug 7 2019 key3.db -rw-r--r--. 1 root root 11264 Jan 24 2019 key4.db -rw-r--r-- 1 root root 451 Aug 7 2019 pkcs11.txt -rw-r--r-- 1 root root 16384 Aug 7 2019 secmod.db
After adding the certificates from the chain of the user's public certificate, following command: certutil -L -d /etc/pki/nssdb -h all resulted with:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
root_KZ C,C,C intermediate_KZ C,C,C
In the sssd section of the sssd.conf file the value for certificate_verification is no_ocsp. Using strace, recorded log of the p11_child about the pki authentication attempt is:
..... stat("/home/oracle/secmod.db", 0x7ffcf6ee2350) = -1 ENOENT (No such file or directory) open("/home/oracle/secmod.db", O_RDONLY) = -1 ENOENT (No such file or directory) open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2379ad3000 read(4, "0\n", 1024) = 2 close(4) = 0 munmap(0x7f2379ad3000, 4096) = 0 stat("/home/oracle/cert8.db", 0x7ffcf6ee1f30) = -1 ENOENT (No such file or directory) open("/home/oracle/cert8.db", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/home/oracle/cert7.db", 0x7ffcf6ee1f50) = -1 ENOENT (No such file or directory) open("/home/oracle/cert7.db", O_RDONLY) = -1 ENOENT (No such file or directory) access("/etc/pki/nss-legacy/nss-rhel7.config", R_OK) = 0 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2379ad3000 read(4, "0\n", 1024) = 2 close(4) = 0 munmap(0x7f2379ad3000, 4096) = 0 open("/etc/pki/nss-legacy/nss-rhel7.config", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=257, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2379ad3000 read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the last empty line in this file must be preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig="disallow=MD5:RC4 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0"\n\n", 4096) = 257 stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f2379ad3000, 4096) = 0 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2379ad3000 read(4, "0\n", 1024) = 2 close(4) = 0 munmap(0x7f2379ad3000, 4096) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [do_verification] (0x0040): Certificate [(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222 \320\242\320\225\320\241\320\242\320\242] not valid [-8179][Peer's Certificate issuer is not recognized.].\n", 309) = 309 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [do_work] (0x0400): Certificate is NOT valid.\n", 99) = 99 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [main] (0x0040): do_work failed.\n", 86) = 86 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538]]]] [main] (0x0020): p11_child failed!\n", 88) = 88 close(1) = 0 exit_group(1) = ? +++ exited with 1 +++
"Peer's Certificate issuer is not recognized" - why is this appearing in the logs if the CA certs are already imported in the nssdb?
This line is also not clear to me: "mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2379ad3000 read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the last empty line in this file must be preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig="disallow=MD5:RC4 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0"\n\n", 4096) = 257" What is it about?
Thank you for your help! Hristina M.