On Tue, 2009-01-20 at 08:43 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote: > > > >> Hello, all. We are working on implementing SSL on our directory server. > >> Our test environment is using Centos using console framework 1.1.1 and > >> ds centos-ds-8.0.0-1.4.el5.centos.4. When we attempt to login to > >> centos-idm-console, we receive an error that the certificate this server > >> presents is either untrusted or unknown. When we view the cert, the > >> note under details says "Untrusted issuer". However, if we look in > >> Manage Certificates for the Administration Server (I assume the console > >> is logging into the Administration Server but the same is true for the > >> Directory Server), we see the CA cert as trusted and see the certificate > >> chain. Everything looks correct. Why is the console not trusting the > >> CA cert? Is it looking for it someplace else? If so, where? > >> > >> More details: > >> I'm assuming the problem is the CA cert. The admin server cert details > >> are: > >> cn=ldap01admin.ssiservices.biz > >> There are DNS entries in subjAltName of: > >> ldap01.ssiservices.biz > >> ldap01 > >> ldap01admin > >> and there is an IP address entry. > >> > >> I get the same problem connecting to > >> https://ldap01admin.ssiservices.biz:9830 as > >> https://ldap01.ssiservices.biz:9830 > >> > >> > > On a lark, I took a look in my home directory and, sure enough, found > > a .centos-idm-console directory. I entered it and issue the following > > command to import the CA cert into the individual user's database: > > > > certutil -A -d . -n "CA certificate" -t "CT,," -a > > -i /etc/dirsrv/admin-serv/SSICA.pem > > > > It all works now. Perhaps I overlooked it but I did not see that step > > in the documentation. > > > Please file a doc bug. > > The way it should work is if there is no CA cert, you should get a > dialog asking you if you want to temporarily accept the connection. Is > it possible there was an old CA cert in ~/.centos-idm-console/cert8.db? Oh, that is the way it was working. I was just expecting it to work without having to manually accept the cert. The key was telling the user to trust the CA. It makes perfect sense now that I understand what is happening - of course the user application is not using the CA trust already established within the directory server to authenticate to the directory server! Thus it needs to trust the CA independently. > > I've also noticed that the manage certificate dialogs reverse the OU and > > O fields on the details page. > > > This has been fixed and the fix will be in the next release. > > Finally, it appears idm-console can use the entries in the subjAltName, > > i.e., I can login using both ldap01 and ldap01admin for the host but it > > does not like the IP field, i.e., I cannot login to > > https://10.1.1.1:9830 without generating a cert warning - John > > > I'm not sure if IP addresses are supposed to play well with > subjectAltName - do other software packages work like this? I'm not > sure what the standards say about this. Web browsers will indeed accept the IP values of the subjAltName to identify the entity (at least Firefox does and I believe the spec (I don't recall the RFC number) does call for such behavior). It appears idm-console has not been so coded. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
