Re: idm-console does not accept cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John A. Sullivan III wrote:

On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote:

Hello, all.  We are working on implementing SSL on our directory server.
Our test environment is using Centos using console framework 1.1.1 and
ds centos-ds-8.0.0-1.4.el5.centos.4.  When we attempt to login to
centos-idm-console, we receive an error that the certificate this server
presents is either untrusted or unknown.  When we view the cert, the
note under details says "Untrusted issuer".  However, if we look in
Manage Certificates for the Administration Server (I assume the console
is logging into the Administration Server but the same is true for the
Directory Server), we see the CA cert as trusted and see the certificate
chain.  Everything looks correct.  Why is the console not trusting the
CA cert? Is it looking for it someplace else? If so, where?

More details:
I'm assuming the problem is the CA cert.  The admin server cert details
are:
cn=ldap01admin.ssiservices.biz
There are DNS entries in subjAltName of:
ldap01.ssiservices.biz
ldap01
ldap01admin
and there is an IP address entry.

I get the same problem connecting to
https://ldap01admin.ssiservices.biz:9830 as
https://ldap01.ssiservices.biz:9830


On a lark, I took a look in my home directory and, sure enough, found
a .centos-idm-console directory.  I entered it and issue the following
command to import the CA cert into the individual user's database:

certutil -A -d . -n "CA certificate" -t "CT,," -a
-i /etc/dirsrv/admin-serv/SSICA.pem

It all works now.  Perhaps I overlooked it but I did not see that step
in the documentation.

Please file a doc bug.
The way it should work is if there is no CA cert, you should get a dialog asking you if you want to temporarily accept the connection. Is it possible there was an old CA cert in ~/.centos-idm-console/cert8.db? 
I've also noticed that the manage certificate dialogs reverse the OU and
O fields on the details page.

This has been fixed and the fix will be in the next release.

Finally, it appears idm-console can use the entries in the subjAltName,
i.e., I can login using both ldap01 and ldap01admin for the host but it
does not like the IP field, i.e., I cannot login to
https://10.1.1.1:9830 without generating a cert warning - John
I'm not sure if IP addresses are supposed to play well with subjectAltName - do other software packages work like this? I'm not sure what the standards say about this.

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux