On Fri, Mar 06, 2020 at 08:09:59AM -0000, Hristina Marosevic wrote:
Hello,
I got an error message: "Certificate is not valid"
So, I am not sure what should this mean? Is it because the trust (path to CA cert) isn't stored in the sssd configuration? Here I have a root CA and an intermediate CA. This can be the only option I can think of, so far because it is still valid considering expiration time, and it is not revoked (there is also no change in sssd configuration regarding OCSP (should I do something about this or sssd will by default check the provided CRL list given by URL in the certificate?), but there is a link of the CRL in the certificate provided by LDAP to sssd which - maybe can not be reached because this machine is not connected to Internet - in this case is it possible to use offlice copy of the CRL list on the local machine? )
sssd_ssh.log: .... (Fri Mar 6 08:50:11 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0080): Certificate [MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=] is not valid. ....
Hi,
this looks like some progress. Please check p11_child.log which might contain detail why SSSD thinks the certificate is not valid. By default SSSD will check the certificate with the help of the CA certificates and does OCSP if the certificate contains the needed OCSP data.
To disable OCSP, since your system cannot reach the OCSP responder, please add
certificate_verification = no_ocsp
to the [sssd] section of sssd.conf and restart SSSD. For testing you can even use 'no_verification' but this is should not be used in production (see man sssd.conf for details).
Which version of SSSD are you using? Depending on the version you might have to add the CA certificates to different locations, please check the 'ca_db' option described in man sssd.conf for details as well.
bye, Sumit
Once again, the certificate is stored in LDAP like: .. userCertificate;binary:: MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZ IhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw 0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQo tCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEy MQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JA xGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCgg EBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1g xbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxE w62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZ b/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGB axQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEF jAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYD VR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQU FBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3 ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2Ffd GVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2Rf cnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmd vdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3 Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK 6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h 4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuz oV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DP X06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR 0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpO BvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sKv2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M2 0BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw 0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdluf S8M/YWxAWw=
and SSSD sees it as: (from sssd_LDAP.log)
(Fri Mar 6 08:58:10 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding userCertificate [0\82\0610\82\04\19\A0\03\02\01\02\02\14}\85\99\DB]\B02\D7\8A\D28\E7\9Dwzv\A9j\90\890\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\000-1\0B0\09\06\03U\04\06\13\02KZ1\1E0\1C\06\03U\04\03\0C\15\D2\B0\D0\9A\D0\9E\203.0\20\28RSA\20TEST\290\1E\17\0D190404085454Z\17\0D210403085454Z0\81\AF1\220\20\06\03U\04\03\0C\19\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\20\D0\A2\D0\95\D0\A1\D0\A2\D0\A21\170\15\06\03U\04\04\0C\0E\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\921\180\16\06\03U\04\05\13\0FIIN1234567890121\0B0\09\06\03U\04\06\13\02KZ1\150\13\06\03U\04\07\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\150\13\06\03U\04\08\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\1B0\19\06\03U\04\2A\0C\12\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\D0\98\D0\A70\82\01\220\0D\06\09\2A\86H\86\F7\0D\01\01\01\05\00\03\82\01\0F\000\82\01\0A\02\82\01\01\00\8Fd^\DA\B927N?\EE\AEzW\ED\86\C6\DE8P\AB\8C\F4\1D\CA\96\F0\908\08\A1\AB4\E7\81I \BC\A1\E0}\7FZ\A5Q\EFl\CA\CD+\BF\DA\B4S\1B~\BB\F5\83\16\CB\A8Y\07>\CE\7F\BBgC\A3\81\96ff\03\1C\85\92E\14\D5\95Q\28TrU`s\99?\18\A8\E8\DE\B5\D6\98\12\BE\1F\F5\C8\CEWm\84J\D3\C9\0A\17\99\9B,\8CD\C3\AD\9507\D9\D4;\AD`Kr:d,T\19\84\89\DB\9C~IPA.\89T\CA]\9Eq\0D\1C\E9,%M\C7\F5E\C8\BCG\80\F8\DF\BFI\968jw\B5P\81E\89\E6[\FF6\A4\E7/`d-H\96\EC/\D2\F2\22\CB\89YSs%d\1A\DA\FE\20\AC\D7\F78+\96;\AC\08\88\F6\89rv\0D\B6\F4m4p\AD{\13\E2p\9E\E2h\29\A0\8F\18\16\B1B\82\C9\A5H\14\D9\FEI8\11\F3\5C\E5\E7\D9k\99\F0\C3\02\03\01\00\01\A3\82\01\C40\82\01\C00\0E\06\03U\1D\0F\01\01\FF\04\04\03\02\05\A00\1D\06\03U\1D%\04\160\14\06\08+\06\01\05\05\07\03\02\06\08\2A\83\0E\03\03\04\01\010\1F\06\03U\1D#\04\180\16\80\14\A6\8C\163\7C\B8\E85g\06>^AWU\A2\AF4Ph0\1D\06\03U\1D\0E\04\16\04\14\BA\09\EF~j\9DMP\E3/\00\12\D3\DD$\8D\A5\A9\05_0^\06\03U\1D\20\04W0U0S\06\07\2A\83\0E\03\03\02\040H0\21\06\08+\06\01\05\05\07\02\01\16\15http://pki.gov.kz/cps0#%5C06%5C08+%5C06%5C01%5C05%5C05%5C07%5C02%5C020%5C17%...<\06\03U\1D\1F\045030 1\A0/\A0-\86+http://test.pki.gov.kz/crl/nca_rsa_test.crl0%3E%5C06%5C03U%5C1D.%5C0470503%5... E8\C0\13\92\2Ae\19\AB\8F\D7GL\97^\1AS\0E\D8\A2G\05\E4B\035\A7\84\8A\13_[\06\A1\AEs\BE\A5\0E\09\9F\7C\F3\CF\8F\80~\DCvjj\9A\C8\201\B7`\0D\FF[\8A\F0R\85\81@\F1\86\09zN\06\F1\84B\9BD\1C\8Bq\E1\88\84e4.\BD\D0\AD\95n\7C\E6E2\A2]\FD\B0\AB\F6\B8\8A?\16\0C\9C\05\DF\0D\B9\F3\88\9C`\8BR\0AYy\CE3T\B6M\F5\28c\F8\CD\B4\04\C5\21\F9\28\86\A0\BF\E4$\08\B6]\D3=\DBe7\A6\8FZ\D8V\D4.\F2_:[\05cfz\9F\E4\D4e\95W\04%\08\10N\84\93\8BS\20h\C7Z>\EEAQ\8B\8F\0D\0Fpw\F5\D4+k1\93\BBc\E3\93\05\BF\D8\D2\8C\94c\D2N\CB4\AA\86>+\B7\89\CD\934u\BC\C1\95`\C3HJ\85\DB\0E\06\01h\02\AE\BFj\12\A4n\B2A\D9n}/\0C\FD\85\B1\01l] to attributes of [IIN32000000001@ldap].
BR, Hristina _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...