[Fedora-directory-users] idm-console does not accept cert

Rich Megginson rmeggins at redhat.com
Tue Jan 20 15:43:09 UTC 2009 

John A. Sullivan III wrote:
> On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote:
>   
>> Hello, all.  We are working on implementing SSL on our directory server.
>> Our test environment is using Centos using console framework 1.1.1 and
>> ds centos-ds-8.0.0-1.4.el5.centos.4.  When we attempt to login to
>> centos-idm-console, we receive an error that the certificate this server
>> presents is either untrusted or unknown.  When we view the cert, the
>> note under details says "Untrusted issuer".  However, if we look in
>> Manage Certificates for the Administration Server (I assume the console
>> is logging into the Administration Server but the same is true for the
>> Directory Server), we see the CA cert as trusted and see the certificate
>> chain.  Everything looks correct.  Why is the console not trusting the
>> CA cert? Is it looking for it someplace else? If so, where?
>>
>> More details:
>> I'm assuming the problem is the CA cert.  The admin server cert details
>> are:
>> cn=ldap01admin.ssiservices.biz
>> There are DNS entries in subjAltName of:
>> ldap01.ssiservices.biz
>> ldap01
>> ldap01admin
>> and there is an IP address entry.
>>
>> I get the same problem connecting to
>> https://ldap01admin.ssiservices.biz:9830 as
>> https://ldap01.ssiservices.biz:9830
>>
>>     
> On a lark, I took a look in my home directory and, sure enough, found
> a .centos-idm-console directory.  I entered it and issue the following
> command to import the CA cert into the individual user's database:
>
> certutil -A -d . -n "CA certificate" -t "CT,," -a
> -i /etc/dirsrv/admin-serv/SSICA.pem
>
> It all works now.  Perhaps I overlooked it but I did not see that step
> in the documentation.
>   
Please file a doc bug.

The way it should work is if there is no CA cert, you should get a 
dialog asking you if you want to temporarily accept the connection.  Is 
it possible there was an old CA cert in ~/.centos-idm-console/cert8.db?
> I've also noticed that the manage certificate dialogs reverse the OU and
> O fields on the details page.
>   
This has been fixed and the fix will be in the next release.
> Finally, it appears idm-console can use the entries in the subjAltName,
> i.e., I can login using both ldap01 and ldap01admin for the host but it
> does not like the IP field, i.e., I cannot login to
> https://10.1.1.1:9830 without generating a cert warning - John
>   
I'm not sure if IP addresses are supposed to play well with 
subjectAltName - do other software packages work like this?  I'm not 
sure what the standards say about this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090120/dcf41cfa/attachment.bin>

More information about the 389-users mailing list