On Thu, Jul 15, 2021 at 9:37 AM Arthur Scott Poore
<spoore(a)fedoraproject.org> wrote:
We managed to figure it out before I saw your reply, but you were on
the right track:
One other question related to being air-gapped, do the certificates
on the cards have OCSP/CRL info/urls set? If so, SSSD may be trying
to check that if not disabled.
We tracked the problem down to do_verification() in
src/p11_child/p11_child_nss.c. The call to
CERT_VerifyCertificateNow() was returning -8102
(SEC_ERROR_INADEQUATE_KEY_USAGE; "Certificate key usage inadequate for
attempted operation").
On a hunch, we set certificate_verification = no_ocsp, and the
problems went away.
<rant>
NSS throwing SEC_ERROR_INADEQUATE_KEY_USAGE when it can't reach an
OCSP server is the most unhelpful thing in the history of unhelpful
things. This error message suggests that it is some quality of the
certificate itself (KU, EKU, encryption algorithm, key signing
algorithm, whatever) that NSS objects to.
I could understand that if NSS didn't have any OCSP-related error
codes. But it has literally 19 of them (1):
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
SEC_ERROR_OCSP_MALFORMED_REQUEST
SEC_ERROR_OCSP_SERVER_ERROR
SEC_ERROR_OCSP_TRY_SERVER_LATER
SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
SEC_ERROR_OCSP_UNKNOWN_CERT
SEC_ERROR_OCSP_NOT_ENABLED
SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER
SEC_ERROR_OCSP_MALFORMED_RESPONSE
SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
SEC_ERROR_OCSP_FUTURE_RESPONSE
SEC_ERROR_OCSP_OLD_RESPONSE
SEC_ERROR_OCSP_INVALID_SIGNING_CERT
SEC_ERROR_REVOKED_CERTIFICATE_OCSP
SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
SEC_ERROR_OCSP_BAD_SIGNATURE
But apparently, no one thought that *this* error code might actually
be useful:
SEC_ERROR_OCSP_SERVER_UNREACHABLE
Gah.
If we hadn't already suspected something external (the problems were
intermittent, even though nothing had changed on the hosts), who knows
how far into the weeds SEC_ERROR_INADEQUATE_KEY_USAGE would have taken
us.
I'm glad that for RHEL8, sssd moved from NSS to OpenSSL, because to
paraphrase Theo de Raadt: OpenSSL might suck, but everything else
sucks far more.
</rant>
Anyway, thanks for your reply. Hopefully this thread (especially your
suggestions) will be useful to others who encounter mysterious
certificate verification issues.
(1)
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functio...