On Thu, Jul 15, 2021 at 9:37 AM Arthur Scott Poore spoore@fedoraproject.org wrote:
We managed to figure it out before I saw your reply, but you were on the right track:
One other question related to being air-gapped, do the certificates on the cards have OCSP/CRL info/urls set? If so, SSSD may be trying to check that if not disabled.
We tracked the problem down to do_verification() in src/p11_child/p11_child_nss.c. The call to CERT_VerifyCertificateNow() was returning -8102 (SEC_ERROR_INADEQUATE_KEY_USAGE; "Certificate key usage inadequate for attempted operation").
On a hunch, we set certificate_verification = no_ocsp, and the problems went away.
<rant>
NSS throwing SEC_ERROR_INADEQUATE_KEY_USAGE when it can't reach an OCSP server is the most unhelpful thing in the history of unhelpful things. This error message suggests that it is some quality of the certificate itself (KU, EKU, encryption algorithm, key signing algorithm, whatever) that NSS objects to.
I could understand that if NSS didn't have any OCSP-related error codes. But it has literally 19 of them (1):
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE SEC_ERROR_OCSP_BAD_HTTP_RESPONSE SEC_ERROR_OCSP_MALFORMED_REQUEST SEC_ERROR_OCSP_SERVER_ERROR SEC_ERROR_OCSP_TRY_SERVER_LATER SEC_ERROR_OCSP_REQUEST_NEEDS_SIG SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS SEC_ERROR_OCSP_UNKNOWN_CERT SEC_ERROR_OCSP_NOT_ENABLED SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER SEC_ERROR_OCSP_MALFORMED_RESPONSE SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE SEC_ERROR_OCSP_FUTURE_RESPONSE SEC_ERROR_OCSP_OLD_RESPONSE SEC_ERROR_OCSP_INVALID_SIGNING_CERT SEC_ERROR_REVOKED_CERTIFICATE_OCSP SEC_ERROR_OCSP_RESPONDER_CERT_INVALID SEC_ERROR_OCSP_BAD_SIGNATURE
But apparently, no one thought that *this* error code might actually be useful:
SEC_ERROR_OCSP_SERVER_UNREACHABLE
Gah.
If we hadn't already suspected something external (the problems were intermittent, even though nothing had changed on the hosts), who knows how far into the weeds SEC_ERROR_INADEQUATE_KEY_USAGE would have taken us.
I'm glad that for RHEL8, sssd moved from NSS to OpenSSL, because to paraphrase Theo de Raadt: OpenSSL might suck, but everything else sucks far more.
</rant>
Anyway, thanks for your reply. Hopefully this thread (especially your suggestions) will be useful to others who encounter mysterious certificate verification issues.
(1) https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/...