Comments (8)
I tried creating a CA with SHA384withRSA
algorithm, all system certs were created correctly with that algorithm.
Which cert profile does IPA use to create the LDAP Server-Cert?
from pki.
The LDAP server cert is created with the profile caIPAserviceCert.
from pki.
So far I cannot reproduce the problem in a plain PKI environment. I've created some tests to issue certs using caServerCert
profile with different algorithms (see PR #4521).
In all cases the certs were issued with the correct algorithms:
SHA384withRSA
: https://github.com/dogtagpki/pki/actions/runs/5730995154/job/15531172808#step:20:56SHA512withRSA/PSS
: https://github.com/dogtagpki/pki/actions/runs/5730995154/job/15531172586#step:20:57SHA512withEC
: https://github.com/dogtagpki/pki/actions/runs/5730995154/job/15531172395#step:20:56
To my understanding there's no significant differences between the profiles in terms of algorithms:
- https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caServerCert.cfg
- https://github.com/freeipa/freeipa/blob/master/install/share/profiles/caIPAserviceCert.cfg
So the problem seems to be specific to IPA. Were there any recent changes in IPA that might have affected this? What changes does IPA make to the CS.cfg
that might be related to algorithms? Do you have the CA debug log from the failed test? It's not available from the link above.
from pki.
There wasn't any change in IPA related to the signing algorithm. I'm testing with the same IPA version and do one test with pki 11.3.1-1.fc38, the other with pki from the copr repo @pki/master.
With pki 11.3.1-1: the file /etc/pki/pki-tomcat/ca/CS.cfg is created with the following parameters:
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.defaultSigningAlgorithm=SHA384withRSA
With the copr repo: the file /etc/pki/pki-tomcat/ca/CS.cfg is created with the following parameters:
ca.audit_signing.defaultSigningAlgorithm=SHA256withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.defaultSigningAlgorithm=SHA256withRSA
ca.sslserver.defaultSigningAlgorithm=SHA256withRSA
ca.subsystem.defaultSigningAlgorithm=SHA256withRSA
To me it looks like the same call to pkispawn produces 2 different CS.cfg and that is the root cause of my issue.
from pki.
I still can't reproduce this in plain PKI environment. I've updated the tests to check those params (see PR #4524) and in all cases they are set to the correct values:
ca.signing.defaultSigningAlgorithm
: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:12:211ca.ocsp_signing.defaultSigningAlgorithm
: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:13:200ca.audit_signing.defaultSigningAlgorithm
: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:14:182ca.subsystem.defaultSigningAlgorithm
: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:15:187ca.sslserver.defaultSigningAlgorithm
: https://github.com/dogtagpki/pki/actions/runs/5740872113/job/15560270027#step:16:191
from pki.
Could you confirm that the algorithm params for pkispawn
in IPA are configured like in the test?
https://github.com/dogtagpki/pki/blob/master/.github/workflows/ca-rsa-test.yml#L54-L72
It would help if we could take a look at the CA debug logs to see what algorithm is actually used and where it came from.
from pki.
IPA installer calls pkispawn -s CA -f config_file --debug --log-file log_file
with the following config_file:
[CA]
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=IPA.TEST
pki_admin_uid = admin
pki_ajp_host_ipv4 = 127.0.0.1
pki_ajp_host_ipv6 = ::1
pki_ajp_secret = 2JceR0606X6tG1Sm4KuCdau5P8qCzocDklbFtzOZkDJR
pki_audit_group = pkiaudit
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=CA Audit,O=IPA.TEST
pki_audit_signing_token = internal
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_ca_hostname = master.ipa.test
pki_ca_port = 443
pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert
pki_ca_signing_csr_path = /root/ipa.csr
pki_ca_signing_key_algorithm = SHA256withRSA
pki_ca_signing_key_size = 3072
pki_ca_signing_key_type = rsa
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_record_create = True
pki_ca_signing_serial_number = 1
pki_ca_signing_signing_algorithm = SHA384withRSA
pki_ca_signing_subject_dn = CN=Certificate Authority,O=IPA.TEST
pki_ca_signing_token = internal
pki_ca_starting_crl_number = 0
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert
pki_cert_id_generator = legacy
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_client_database_password =
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX
pki_configuration_path = /etc/pki
pki_default_ocsp_uri = http://ipa-ca.ipa.test/ca/ocsp
pki_dns_domainname = ipa.test
pki_ds_base_dn = o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_database = ipaca
pki_ds_hostname = master.ipa.test
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = False
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_enable_proxy = True
pki_existing = False
pki_external = False
pki_external_pkcs12_password =
pki_external_pkcs12_path =
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = master.ipa.test
pki_hsm_enable = False
pki_hsm_libfile =
pki_hsm_modulename =
pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://master.ipa.test:443
pki_issuing_ca_hostname = master.ipa.test
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://master.ipa.test:443
pki_master_crl_enable = True
pki_ocsp_signing_key_algorithm = SHA256withRSA
pki_ocsp_signing_key_size = 2048
pki_ocsp_signing_key_type = rsa
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm = SHA256withRSA
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=IPA.TEST
pki_ocsp_signing_token = internal
pki_pkcs12_password =
pki_pkcs12_path =
pki_profiles_in_ldap = True
pki_random_serial_numbers_enable = False
pki_replica_number_range_end = 100
pki_replica_number_range_start = 1
pki_replication_password =
pki_request_id_generator = legacy
pki_request_number_range_end = 10000000
pki_request_number_range_start = 1
pki_san_for_server_cert =
pki_san_inject = False
pki_security_domain_hostname = master.ipa.test
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin
pki_self_signed_token = internal
pki_serial_number_range_end = 10000000
pki_serial_number_range_start = 1
pki_server_database_password = XXXXXXXX
pki_share_db = False
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=master.ipa.test,O=IPA.TEST
pki_sslserver_token = internal
pki_status_request_timeout = 15
pki_subordinate = False
pki_subordinate_create_new_security_domain = False
pki_subsystem = CA
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=IPA.TEST
pki_subsystem_token = internal
pki_subsystem_type = ca
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_user = pkiuser
from pki.
Thanks for the info. Apparently there's a long-standing bug that was never discovered since we probably always tested with the same key & signing algorithms, and it's now affecting IPA due to recent a cleanup that merged some of the code. I've created a PR to fix the bug: #4531
from pki.
Related Issues (20)
- No such command: builddep when building CA Container HOT 1
- Test failures on Fedora 40 HOT 9
- FreeIPA: on a replica, ipa ca-del subca fails with @pki/master repo HOT 5
- Freeipa: adding subca in loop fails with Non-2xx response from CA REST API: 500 HOT 5
- Intermittent authentication failure
- IPA test_sign_smime_csr_full_principal failed
- Intermittent EST test failure
- dogtag with podman, systemd service inactive (dead) on restart HOT 2
- Log rotation can break ipa-kra-install HOT 1
- Nightly test failure with @pki/master copr repo HOT 16
- Intermittent CertStatusUpdateTask failure
- Intermittent SerialNumberUpdateTask failure
- Occasional 500 errors / ajp_read_header: ajp_ilink_receive failed messages have started appearing
- Guidance Needed: Intermittent Unresponsiveness in Dogtag PKI Web Services in Podman Container Linked to 389ds Undefined Backend Issues HOT 2
- OCSP ansible CI error HOT 1
- IPA server installation with externally-signed CA fails (with @pki/master copr repo) HOT 3
- IPA scenario install / uninstall / install fails with @pki/master repo HOT 1
- IPA KRA install fails on a replica (@pki/master)
- ipa vault-add fails with "Unable to archive key" (@pki/master)
- IPA CA install fails on a replica (@pki/master)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pki.