Unable to sign CSR with multiple CN in subject
by Joel Kåberg
Hello
I'm trying to sign an CSR which has multiple CN in the certificate subject. When the certificate is signed it only contains one CN in the subject (should be 2, site1.domain.tld and site2.domain.tld), and furthermore only two alternative names (should be 3 – missing the site2.domain.tld), see below for output example.
Does anyone why this is happening, and if there is a way around it? The documentation on this seems a bit sparse (or hard to find?), so I'd really appreciate some input.
The private.domain.tld is an "virtual" host in Freeipa which has an service with 3 principal alias tied to it (SERVICE/private.domain.tld(a)REALM.SECRET.TLD<mailto:SERVICE/private.domain.tld@REALM.SECRET.TLD>, SERVICE/site1.domain.tld(a)REALM.SECRET.TLD<mailto:SERVICE/site1.domain.tld@REALM.SECRET.TLD>, SERVICE/site2.domain.tld(a)REALM.SECRET.TLD<mailto:SERVICE/site2.domain.tld@REALM.SECRET.TLD> )
-----------------------------------------------
# openssl req -in signingrequest -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: emailAddress=secret(a)secret.tld, C=US, O=Secret Orginization, CN=site1.secret.tld, CN=site2.secret.tld/unstructuredName=private.secret.tld
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
-censored-
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:private.secret.tld
Signature Algorithm: sha1WithRSAEncryption
-censored-
# ipa cert-request signingrequest.csr --principal=SERVICE/private.domain.tld --certificate-out=signingrequest.csr.signed
Issuing CA: ipa
Certificate: -censored-
Subject: CN=site1.domain.tld,O=REALM.SECRET.TLD
Subject DNS name: private.domain.tld, site1.domain.tld
Issuer: CN=Certificate Authority,O=REALM.SECRET.TLD
Not Before: Thu Oct 19 10:27:13 2017 UTC
Not After: Sun Oct 20 10:27:13 2019 UTC
Serial number: 35
Serial number (hex): 0x23
# openssl x509 -in signingrequest.csr.signed -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 23 (0x17)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=REALM.SECRET.TLD, CN=Certificate Authority
Validity
Not Before: Thu Oct 19 10:27:13 2017 UTC
Not After : Sun Oct 20 10:27:13 2019 UTC
Subject: O=REALM.SECRET.TLD, CN=site1.secret.tld
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
-censored-
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:-censored-
Authority Information Access:
OCSP - URI:http://ipa-ca.secret.tld/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.sensor.secret.tld/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName: O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
-censored-
X509v3 Subject Alternative Name:
DNS:private.secret.tld, DNS:site1.secret.tld
Signature Algorithm: sha256WithRSAEncryption
-censored-
-----------------------------------------------
Vennlig hilsen
Joel Kåberg
Sikkerhetsanalytiker, HelseCERT
norskhelsenett
+47 7356 5710 | +47 979 54 918
www.nhn.no
________________________________
Denne e-post er kun bestemt for mottakeren nevnt over. Hvis du ved en feil skulle motta denne meldingen, må du ikke sende den videre eller kopiere den. Vennligst informer avsender og slett meldingen og eventuelle vedlegg fra din PC. Norsk Helsenett SF påtar seg ikke ansvar for endringer av innholdet etter at meldingen er sendt. Overføring av e-post er ikke garantert å være sikker, konfidensiell eller feilfri, fordi informasjon kan avbrytes, forvrenges, tapes, ødelegges, bli forsinket, være ufullstendig eller inneholde skadelig kode. E-posten ble sjekket for skadelig kode før utsendelse fra Norsk Helsenett SF.
6 years, 6 months
Guidance on setting up locked down role for a local IPA user who can only do "ipa hbactest ... " command?
by Chris Dagdigian
Hi folks,
We have an absurdly complex multi-domain/multi-child AD forrest tied
together on AWS via FreeIPA.
I'm spending a lot of time debugging login issues and the "ipa hbactest"
command is fantastic at "proving" out if something should or should not
work.
I currently "kinit admin" before running these commands but would like
to be able to pass this 'power' on to other people, including project
managers and other folks that I would not trust with direct IPA
privileges that would let them accidentally do dangerous things :)
Has anyone set up an IPA user with read-only access or otherwise set up
a locked down role so that a user can only run "ipa hbactest ..." type
commands? Looking for sensible tips and guidance on spreading some IPA
powers around to people that I would not normally want having higher
level privileges.
Thanks!
Chris
6 years, 6 months
multiple sub-domains
by Andrew Meyer
I am running into an issue deploying FreeIPA. I am converting from OpenLDAP. However I have multiple sub-domain under my tld.
So let's say I own example.com
I have multiple zones under that where I have servers sitting. All of these sub-domains are specific to VLANs as well.
mgt.$DC.example.combeta.$DC.example.com
I want to add the server to that DOMAIN but it still under the example.com domain. However the installer is complaining that if I do this failover will not be an option.
The plan is to put 2 FreeIPA servers in every location.
My question is how can I get around that? Can I go back and edit the sssd.conf file? I will already have /etc/resolv.conf populated.
Any thoughts? Has anyone else had this same issue?
Thank you,
6 years, 6 months
Replica failure, could not perform interactive bind ... [GSSAPI]
by Kees Bakker
Hey,
Since I've setup a replica it gives errors like these:
[17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[17/Oct/2017:11:36:56 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[17/Oct/2017:11:36:56 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[17/Oct/2017:11:36:56 +0200] NSMMReplicationPlugin - agmt="cn=meTorotte.ghs.nl" (rotte:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
[17/Oct/2017:11:36:59 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[17/Oct/2017:11:36:59 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[17/Oct/2017:11:36:59 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[17/Oct/2017:11:37:05 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[17/Oct/2017:11:37:05 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory)
[17/Oct/2017:11:37:05 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[17/Oct/2017:11:37:18 +0200] NSMMReplicationPlugin - agmt="cn=meTorotte.ghs.nl" (rotte:389): Replication bind with GSSAPI auth resumed
I'm looking for hints how to debug this. And of course it would be nice if someone
knows how to solve this.
Details about the installation.
Both servers: Ubuntu 16.04, freeipa version 4.3.1-0ubuntu1
The original master is rotte.ghs.nl and my replica is linge.ghs.nl. The above log is on
the replica (linge).
Perhaps the following is valuable information, perhaps not. The installation failed at first
due to a timeout problem. I've changed the Python to increase the time, and after that
the replica installation succeeded. I'm able to connect to it (LDAP and web UI), and new
information entered in the master was replicated correctly.
But now I see some clients having Kerberos ticket problems, most likely because
they use the replica, which is not valid anymore.
Should I abandon the replica and reinstall it, and if so, how should I do that (safely)?
--
Kees Bakker
6 years, 6 months
Old replica in ipa-replica-manage list but not in ipa-replica-manage list-ruv
by john.bowman@zayo.com
After a crash of one of our IPA servers this morning I noticed that two of the 6 IPA servers we use have an old replica listed. It was part of a previous failed install attempt. Normally in this situation I would use the clean-ruv but the replica doesn't appear in the list-ruv output. Is there another way to clean this bad entry?
# ipa-replica-manage list
Directory Manager password:
ipa1.domain.tld: master
ipa2.domain.tld: master <--- No longer exists.
ipa3.domain.tld: master
ipa4.domain.tld: master
ipa5.domain.tld: master
ipa6.domain.tld: master
ipa7.domain.tld: master
# ipa-replica-manage list-ruv
Directory Manager password:
ipa3.domain.tld:389: 8
ipa4.domain.tld:389: 9
ipa1.domain.tld:389: 3
ipa5.domain.tld:389: 12
ipa6.domain.tld:389: 19
ipa7.domain.tld:389: 21
Thanks!
6 years, 6 months
new servers not creating DNS entries
by Andrew Meyer
I am running the latest version of FreeIPA on CentOS 7. I am testing adding servers to the domain. I am using a tld for the FreeIPA domain, not that it would matter. However when I join a server to the domain it is failing on adding the DNS entries for the server.
I'm seeing the following in the /var/log/ipaclient-install.log
2017-10-19T00:52:33Z DEBUG Starting external process2017-10-19T00:52:33Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r GATEWAYBLEND.NET2017-10-19T00:52:33Z DEBUG Process finished, return code=52017-10-19T00:52:33Z DEBUG stdout=2017-10-19T00:52:33Z DEBUG stderr=realm not found
[try 1]: Forwarding 'ping' to json server 'https://infra-test-ipa.gatewayblend.net/ipa/json'[try 1]: Forwarding 'ca_is_enabled' to json server 'https://infra-test-ipa.gatewayblend.net/ipa/json'Systemwide CA database updated.Hostname (jira02.mgt.stl.gatewayblend.net) does not have A/AAAA record.Failed to update DNS records.Missing A/AAAA record(s) for host jira02.mgt.stl.gatewayblend.net: 10.1.6.142.Missing reverse record(s) for address(es): 10.1.6.142.
I can't seem to find out why its not doing this.
I will say there is a BIND server already in place and we are working to migrate off of it.
Please let me know what else I need to provide.
6 years, 6 months
FreeIPA, Yubikeys, and OpenVPN
by Jeremy Utley
Hello all!
In the process of changing to a FreeIPA based authentication system for a
part of our network. FreeIPA is set up, working beautifully for most
things already. Right now, we're trying to convert our old jump hosts from
C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup. The way
this setup currently works is that the user creates a VPN connection to the
jump host (using OpenVPN and static VPN keys), logs into the jump via SSH
over the VPN tunnel with the Vasco OTP password, then can move from there
to other machines on the network with only password.
As part of the transition to the new setup, I wanted to change to having
OpenVPN authenticate against FreeIPA using the openvpn pam plugin. This
was working fine when using just passwords, OpenVPN prompted for the
Username and Password and connected, so the basic idea seems to work. But
as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN
server will no longer authenticate him when using Password+Yubikey value.
However, that user can authenticate to the FreeIPA web interface
successfully with the Yubikey, as well as SSH to the machine running
Openvpn (tested by using the old setup and jumping to the new hosts).
As I understand it, using the OpenVPN PAM module should allow it to auth
just like SSH does, so I'm puzzled why this is failing as it does. I
created the OpenVPN PAM configuration file by copying /etc/pam.d/login to
/etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA
and granting the user access to it (of course, as the user is allowed to
connect when OTP is not enabled).
Has anyone done a similar setup before, and have any ideas where I went
wrong? I'd like to have this working for added security on our VPN
connections.
Thanks
Jeremy Utley
6 years, 6 months
Announcing FreeIPA 4.5.4
by Tomas Krizek
The FreeIPA team would like to announce FreeIPA 4.5.4 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 25 and 26 will be available in the official COPR repository
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-5/ .
== Highlights in 4.5.4 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.5.4 is a stabilization release for the features delivered as a
part of 4.5.0.
There are more than 30 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7179 In case full PKINIT configuration is failing during
server/replica install the error message should be more meaningful.
* 7175 [Backport 7143 to ipa-4-5] "unknown command 'undefined'" error
when changing user's password via the web UI
* 7173 Switch from externally-signed to self-signed CA fails
* 7172 Enterprise principals should be able to trigger a refresh of the
trusted domain data in the KDC
* 7146 ipa_otptoken_import.py fails to parse the correct suite defined
under the AlrgorithmParameters
* 7144 pkinit-status command fails after an upgrade from a pre-4.5 IPA
* 7141 Updating from RHEL 7.3 fails with Server-Cert not found
(ipa-server-upgrade)
* 7127 sssd.conf not updated after promoting client to promotion
* 7126 FreeIPA/IdM installations which were upgraded from versions with
389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus
startup of Web UI fails
* 7125 ipa-server-upgrade failes with "This entry already exists"
* 7123 External CA renewal fails when IPA CA subject DN does not match
"CN=Certificate Authority, {subject-base}"
* 7120 Unable to set ca renewal master on replica
* 7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
* 7112 user-show command fails when sizelimit is configured to number <=
number of entity which is user member of
* 7108 ipa-backup broken because of cyclic import
* 7106 TypeError in renew_ca_cert prevents from swiching back to
self-signed CA
* 7086 [ipatests] - add caless to cafull tests
* 7083 failed ipa-server-upgrade , time out from dogtag services ,
custodia errors
* 7074 IPA shouldn't allow objectclass if not all in lower case
* 7066 WebUI: All columns of user in group table are clickable
* 7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
* 7017 NULL LDAP context in call to ldap_search_ext_s during search in
cn=ad,cn=trusts,dc=example,dc=com
* 6999 ipa command throws backtrace instead of showing help with wrong
syntax
* 6979 Suggest user to install libyubikey package instead of traceback
* 6952 Suggest CA installation command in KRA installation warning
* 6622 [tests] ipatests.util.unlock_principal_password does not respect
configured ldap_uri
* 6605 make lint + make modifies PO files in place
* 6592 [tracker] SELinux policy tracker for 4.5
* 6582 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and
"Role-Based"
* 6447 [WebUI] Remove offline version of WebUI
* 6261 Replace ERROR: cannot connect to
'http://localhost:8888/ipa/json': [Errno 111] Connection refused with
'IPA is not configured on this system'
* 6176 Updating of dns system records rapidly slowdown uninstallation
== Detailed changelog since 4.5.3 ==
=== Alexander Bokovoy (2) ===
* Make sure upgrade also checks for IPv6 stack
* OTP import: support hash names with HMAC- prefix
=== Abhijeet Kasurde (1) ===
* Vault testcase improvement
=== Alexander Koksharov (1) ===
* kra-install: better warning message
=== Aleksei Slaikovskii (2) ===
* ipaclient.plugins.dns: Cast DNS name to unicode.
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (1) ===
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kreitschmann (2) ===
* Disable pylint in get_help function because of type confusion.
* Store help in Schema before writing to disk
=== David Kupka (11) ===
* tests: Add LDAP URI to ldappasswd explicitly
* tests: certmap: Add test for user-{add,remove}-certmap
* tests: tracker: Add CertmapdataMixin tracker
* tests: certmap: Add test for certmapconfig-{mod,show}
* tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
* tests: certmap: Test permissions for certmap
* tests: certmap: Add basic tests for certmaprule commands
* tests: tracker: Add CertmapTracker for testing certmap-* commands
* tests: tracker: Add ConfigurationTracker to test *config-{mod,show}
commands
* tests: tracker: Add EnableTracker to test *-{enable,disable} commands
* tests: tracker: Split Tracker into one-purpose Trackers
=== Felipe Volpone (4) ===
* Changing idoverrideuser-* to treat objectClass case insensitively
* Fixing how sssd.conf is updated when promoting a client to replica
* Removing part of circular dependency of ipalib in ipaplaform
* Changing how commands handles error when it can't connect to IPA server
=== Florence Blanc-Renaud (5) ===
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* Backport 4-5: Fix ipa-server-upgrade with server cert tracking
* Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already
exists
* Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca)
* Fix ipa config-mod --ca-renewal-master
=== Fraser Tweedale (2) ===
* Fix external renewal for CA with non-default subject DN
* Restore old version of caIPAserviceCert for upgrade only
=== Martin Basti (1) ===
* DNS update: reduce timeout for CA records
=== Michal Reznik (3) ===
* test_caless: add replica ca-less to ca-full test (master caless)
* test_caless: add server_replica ca-less to ca-full test
* tests: fix external_ca test suite failing due to missing SKI
=== Nathaniel McCallum (1) ===
* ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
=== Petr Čech (1) ===
* ipatests: Fix on logs collection
=== Petr Vobornik (2) ===
* log progress of wait_for_open_ports
* control logging of host_port_open from caller
=== Pavel Vomacka (9) ===
* WebUI: Fix calling undefined method during reset passwords
* WebUI: remove unused parameter from get_whoami_command
* Adds whoami DS plugin in case that plugin is missing
* WebUI: remove creating js/libs symlink from makefile
* WebUI: Remove plugins symlink as it is unused
* Remove all old JSON files
* Revert "Web UI: Remove offline version of Web UI"
* WebUI: Add hyphenate versions of Host(Role) Based strings
* WebUI: fix incorrectly shown links in association tables
=== Rob Crittenden (1) ===
* Collect group membership without a size limit
=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals
=== Stanislav Laznicka (4) ===
* travis: make tests fail if pep8 does not pass
* Use correct container for ipa-4-5 testing
* pkinit: don't fail when no pkinit servers found
* travis: temporary workaround for Travis CI
=== Thierry Bordaz (1) ===
* NULL LDAP context in call to ldap_search_ext_s during search
=== Tibor Dudlák (1) ===
* otptoken_yubikey.py: Removed traceback when package missing.
=== Tomas Krizek (11) ===
* Become IPA 4.5.4
* Update contributors
* Update translations
* prci: use f26 template for ipa-4-5
* ipatests: collect log after ipa-ca-install
* dnssec: fix localhsm.py utility script
* prci: rename template to ci-ipa-4-5-f25
* prci: add caless tests
* build: checkout *.po files at the end of makerpms.sh
* freeipa-pr-ci: enable pull-request CI
* 4.5 set back to git snapshot
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
6 years, 6 months
IPA crashed and after restarting services seeing "Replica has a different generation ID than the local data." in log
by john.bowman@zayo.com
Howdy! Looks like the IPA application crashed on one of our servers (RHEL 6) early this morning and after restarting it I saw the following in /var/log/dirsrv/slapd-TLD/errors log:
[18/Oct/2017:07:35:49 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[18/Oct/2017:07:35:49 -0500] - Listening on All Interfaces port 636 for LDAPS requests
[18/Oct/2017:07:35:49 -0500] - Listening on /var/run/slapd-TLD.socket for LDAPI requests
[18/Oct/2017:07:35:59 -0500] NSMMReplicationPlugin - agmt="cn=meToidm1.tld (idm1:389): Replica has a different generation ID than the local data.
[18/Oct/2017:07:36:03 -0500] NSMMReplicationPlugin - agmt="cn=meToidm2..tld" (idm2:389): Replica has a different generation ID than the local data.
[18/Oct/2017:07:36:03 -0500] NSMMReplicationPlugin - agmt="cn=meToidm1.tld" (idm1:389): Replica has a different generation ID than the local data.
And that same message appears in the error log on the hosts that have a replication agreement with this node. And it does not appear to be replicating with the other nodes as well.
I searched for that message and found:
https://access.redhat.com/solutions/136993
But that implies that this is from a failed install and that is not the same situation.
Any ideas on the best method to clean this up would be appreciated.
Thanks!
6 years, 6 months