Project

General

Profile

Bug #24489

Document how to change CA Cert for Active Directory

Added by Michael Preissner almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
No priority
Assignee:
Warren Block
Category:
Documentation
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I'm in the process of changing to a new Root CA for all my domain certs. I have an offline root, with an enterprise subordinate CA with AD CS. I've generated new server certificates for my 2012r2 domain controllers, and I've imported the root CA cert and my intermediate CA cert into FreeNAS. When attempting to change the cert used for directory services, I keep getting the following error:

{'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)'}

Using openssl s_client -connect my.domain.controller:636, I get the following output:

[root@store] /tmp# openssl s_client connect md-hc-dc1.ad.preissner.us:636
CONNECTED
depth=1 DC = us, DC = preissner, DC = ad, CN = TPGIssuingCA-md-hc-pki1
verify error:num=20:unable to get local issuer certificate
verify return:0
--

Certificate chain
0 s:/CN=MD-HC-DC1.ad.preissner.us
i:/DC=us/DC=preissner/DC=ad/CN=TPGIssuingCA-md-hc-pki1
1 s:/DC=us/DC=preissner/DC=ad/CN=TPGIssuingCA-md-hc-pki1
i:/CN=TPGRootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHFjCCBP6gAwIBAgITE...
-----END CERTIFICATE-----
subject=/CN=MD-HC-DC1.ad.preissner.us
issuer=/DC=us/DC=preissner/DC=ad/CN=TPGIssuingCA-md-hc-pki1
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: EF0B0000600040AB58AE3EDF34E0B8069AC4417FE675CCF3F66C1F5810F08541
Session-ID-ctx:
Master-Key: EDFBF262B7B127A4AD0B855B577830AD0A432077A0692B0867CDA57828D6288B32CE1CDD79B1C2C9CFEB3AA618445938
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1497308262
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---

If I upload a copy of the Root CA cert to my FreeNAS and validate the openssl s_client connect against the CAfile I get the following:

[root@store] /tmp# openssl s_client connect md-hc-dc1.ad.preissner.us:636 -CAfile TPGorca1_TPGRootCA.crt
CONNECTED
depth=2 CN = TPGRootCA
verify return:1
depth=1 DC = us, DC = preissner, DC = ad, CN = TPGIssuingCA-md-hc-pki1
verify return:1
depth=0 CN = MD-HC-DC1.ad.preissner.us
verify return:1
--

Certificate chain
0 s:/CN=MD-HC-DC1.ad.preissner.us
i:/DC=us/DC=preissner/DC=ad/CN=TPGIssuingCA-md-hc-pki1
1 s:/DC=us/DC=preissner/DC=ad/CN=TPGIssuingCA-md-hc-pki1
i:/CN=TPGRootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHFjCCBP6gAwIBAgITE...
-----END CERTIFICATE-----
subject=/CN=MD-HC-DC1.ad.preissner.us
issuer=/DC=us/DC=preissner/DC=ad/CN=TPGIssuingCA-md-hc-pki1
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: E0100000B390D1886BA9E8D22E21B720B8AD615028B4CD6165B70CC8920AB041
Session-ID-ctx:
Master-Key: F2206D606BB7A00ACDF748418718EE206684554B2850A0F7E0FFA61D6179CBDFAD7C085920AA53295DDBC4B1D58E0226
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1497308945
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

I've verified that the root and intermediate certificates and their respective CRL's are available at the AIA and CDP's listed in each of the CA certs (and reachable via http from the FreeNAS unit), but I can't seem to get directory services to use the new CA to validate the cert presented by my AD servers.

Associated revisions

Revision 76e11adc (diff)
Added by Warren Block over 3 years ago

Show procedure to change a certificate with AD. Ticket: #24489

History

#1 Updated by John Hixson almost 4 years ago

  • Status changed from Unscreened to Screened
  • Target version set to 11.0-U1

#2 Updated by John Hixson almost 4 years ago

  • Status changed from Screened to 15

Hi Michael, just for clarity, are you saying you can't change the CA from the UI? If so, we can do some trickery to get around that if need be. I'd still like to know what it is doing currently, however. Can you verify that the CA in /etc/certificates/CA/Preissner_us.crt is correct? That is what your current configuration is set to use. If that isn't correct, let me know.

#3 Updated by Michael Preissner almost 4 years ago

The Preissner_us.crt is the old root cert I was using when teaching myself about PKI management. I've since created a new PKI using a 2-tier setup with AD CS. The root CA is offline, the issuing CA is an enterprise subordinate. The AIA and CDP locations are housed on the issuing CA server. My new root cert is TPG_Root, which I've imported via the GUI. The server certificates for my domain controllers were issued by "TPG_Issuing" (which I've also imported via GUI).

You are correct...I am unable to change the CA cert (on the Directory Services page) from the GUI.

#4 Updated by John Hixson almost 4 years ago

Michael Preissner wrote:

The Preissner_us.crt is the old root cert I was using when teaching myself about PKI management. I've since created a new PKI using a 2-tier setup with AD CS. The root CA is offline, the issuing CA is an enterprise subordinate. The AIA and CDP locations are housed on the issuing CA server. My new root cert is TPG_Root, which I've imported via the GUI. The server certificates for my domain controllers were issued by "TPG_Issuing" (which I've also imported via GUI).

You are correct...I am unable to change the CA cert (on the Directory Services page) from the GUI.

ok, try this (in this order):

1. Disable AD (and save).
2. Change CA field in AD to be empty (then save).
3. Change to new CA (then save).
4. Enable AD (and save).

Let me know if this works for you.

#5 Updated by Michael Preissner almost 4 years ago

I tried these steps, and I'm receiving the same error when I try to enable directory services. What's worse is that I can no longer enable DS even if I switch back to the Preissner_us CA.

#6 Updated by Michael Preissner almost 4 years ago

I was able to enable directory services using the old Preissner_us CA after I reinstalled the domain controller certs issued by that CA on my DC's. The only difference I'm seeing is that from the Domain Controller side, when I import the certs issued by the new CA (TPGRoot) into the NTDS\Personal store, I only see the server certificate, but when I re-import the old server certificates (issued by the Preissner_us CA), I get both the server and the CA cert. I'm curious if that might be what's causing the issue. It may be more complex than that, though, as my old CA was single-tier, and the new CA is 2-tier. Any thoughts on that?

#7 Updated by Michael Preissner almost 4 years ago

I tried installing the entire chain from the new CA into the NTDS\Personal store and restart AD services, but when trying to enable DS in FreeNAS, I still got the same error, so it doesn't appear to be related to having the entire chain in the NTDS store. For the time being, I've reinstalled the old server certs, and have set FreeNAS to use the old Preissner_us CA so I can at least use AD authentication for my shares.

#8 Updated by Michael Preissner almost 4 years ago

I've since updated to 9.10.2-U5, and the same problem exists. I am still unable to switch over to the new CA for directory services.

#9 Updated by John Hixson almost 4 years ago

Michael Preissner wrote:

I've since updated to 9.10.2-U5, and the same problem exists. I am still unable to switch over to the new CA for directory services.

Are you available at some point so that I can look at your system? We usually use teamviewer for this, would that be possible ?

#10 Updated by Michael Preissner almost 4 years ago

TeamViewer is up and running. I'll email you directly with the session info.

#11 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0-U2

#12 Updated by John Hixson almost 4 years ago

Michael Preissner wrote:

TeamViewer is up and running. I'll email you directly with the session info.

I've received your email and replied. I'll try again tomorrow if you aren't available ;-)

#13 Updated by Michael Preissner almost 4 years ago

Hey John, sorry I wasn't at the keyboard when you tried to get on the other day. Let me know when will work best for you and I can arrange to be there. Also, if it helps, I can set up a VPN account for you and you can access my environment whenever it's convenient.

#14 Updated by John Hixson almost 4 years ago

Michael Preissner wrote:

Hey John, sorry I wasn't at the keyboard when you tried to get on the other day. Let me know when will work best for you and I can arrange to be there. Also, if it helps, I can set up a VPN account for you and you can access my environment whenever it's convenient.

I'm flexible, just not too early ;-) I can do teamviewer or VPN, either way. Let's just get something scheduled we both agree on.

#15 Updated by Michael Preissner almost 4 years ago

Hey John, sorry for the delayed response. I should be available most of the day today aside from some lunchtime errands and picking up the kiddo from daycare this afternoon. If today doesn't work, I can set you up with a VPN connection and domain creds so you can do whatever diag you need to without me around.

#16 Updated by John Hixson almost 4 years ago

Michael Preissner wrote:

Hey John, sorry for the delayed response. I should be available most of the day today aside from some lunchtime errands and picking up the kiddo from daycare this afternoon. If today doesn't work, I can set you up with a VPN connection and domain creds so you can do whatever diag you need to without me around.

No problem. How does Monday sound? If so, what is a good time?

#17 Updated by Michael Preissner almost 4 years ago

Any time today ought to work. I'm working from home, so I'm flexible - well, flexible any time before 4 PM eastern...

#18 Updated by Tobias Müllauer almost 4 years ago

Hello. I am starting to move over to SSL/TLS in my AD and dont now if this is same problem or not but i get output of

error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate), Connect error

i have import own made Cert and CA from PFsense imported that to my AD-samba-server and Freenas. My client working and i have veryfi the cert on my AD-samba-server.

#19 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U2 to 11.0-U3

#20 Updated by Michael Preissner over 3 years ago

@Tobias - you're probably better off opening a fresh ticket. I have a working installation using a cert from one CA and am attempting to change to a different CA. As your situation involves the initial setup of for LDAPS/ LDAP-TLS, you should follow any bug tickets regarding fresh setup or open your own. Whatever we figure out here may not work for you.

@John - My availability is terrible this week. Let me know what works for you and I'll try to accommodate.

#21 Updated by John Hixson over 3 years ago

Michael Preissner wrote:

@Tobias - you're probably better off opening a fresh ticket. I have a working installation using a cert from one CA and am attempting to change to a different CA. As your situation involves the initial setup of for LDAPS/ LDAP-TLS, you should follow any bug tickets regarding fresh setup or open your own. Whatever we figure out here may not work for you.

@John - My availability is terrible this week. Let me know what works for you and I'll try to accommodate.

Hi Michael, we seem to keep missing each other. I'm fairly open to any time, so long as I have at least a day or two notice and we agree on it. I live in California and am on PDT. Let me know what works for you so we can get this resolved ;-) My email is john at ixsystems dot com

#22 Updated by Michael Preissner over 3 years ago

  • Seen in changed from 9.10.2-U4 to 9.10.2-U5

Email sent!

#23 Updated by Dru Lavigne over 3 years ago

  • Status changed from 15 to Unscreened

#24 Updated by John Hixson over 3 years ago

  • Status changed from Unscreened to Screened

#25 Updated by John Hixson over 3 years ago

finally was able to connect with Michael ;-) The only issue here is it is not immediately obvious that to change a cert, the encryption mode must first be turned off. So, to change a cert, the process is:

1. Disable AD
2. Turn off encryption mode
3. Change cert
4. Enable encryption mode
5. Enable AD

#26 Updated by John Hixson over 3 years ago

This should be documented ;-)

#27 Updated by John Hixson over 3 years ago

  • Needs QA changed from Yes to No
  • QA Status deleted (Not Tested)

#28 Updated by John Hixson over 3 years ago

  • Status changed from Screened to Unscreened
  • Assignee changed from John Hixson to Release Council

#29 Updated by Dru Lavigne over 3 years ago

  • Category changed from OS to Documentation
  • Assignee changed from Release Council to Warren Block

#30 Updated by Warren Block over 3 years ago

  • Status changed from Unscreened to Screened

#31 Updated by Dru Lavigne over 3 years ago

  • Subject changed from Unable to change CA Cert for Active Directory to Document how to change CA Cert for Active Directory

#32 Updated by Warren Block over 3 years ago

  • Status changed from Screened to Resolved

#33 Updated by Dru Lavigne over 3 years ago

  • File deleted (debug-store-20170612191536.tgz)

Also available in: Atom PDF