Monday, March 14, 2022

[389-users] docker, 389ds/dirsrv:2.0, vendorVersion 2.1.0, ssca, certificate chain, orphan key, cert9.db, key4.db

Hi there,

I've a question regarding the docker image:
- vendorVersion: 389-Directory/2.1.0 B2022.015.0000

My scenario:

- I want to install a customer's certificate chain and run the DS with LDAPS on port 3636

My steps to reproduce:

- docker volume create 389ds
- cd /var/lib/docker/volumes/389ds/_data
- cp -r /root/389ds/tls .
- verify tls directory:

[root@ur1 _data]# ls -lR tls
total 8
drwxr-xr-x. 2 root root   64 Mar 14 16:56 ca
-rw-r--r--. 1 root root 1419 Mar 14 16:56 server.crt
-rw-r--r--. 1 root root 1675 Mar 14 16:56 server.key

total 8
-rw-r--r--. 1 root root 2384 Mar 14 16:56 XXXXXXROOTCA2015.crt
-rw-r--r--. 1 root root 2032 Mar 14 16:56 XXXXXXServerCA2015.crt
[root@ur1 _data]#

Starting the docker container with "docker-compose up -d" generates
a fresh DS, but installs a self-signed CA and cert.

  image: 389ds/dirsrv:2.0
  container_name: ur1
    -  389ds:/data
    - 3389:3389
    - 3636:3636
  restart: always

From inside the docker container I've found:

[root@ur1 _data]# docker exec -i -t ur1 /bin/bash
6b70de8c74e9:/ # cd /data
6b70de8c74e9:/data # cd config
6b70de8c74e9:/data/config # certutil -L -d .

Certificate Nickname                                         Trust Attributes

Self-Signed-CA                                               CT,,
/data/tls/ca/XXXXXXROOTCA2015.crt                            C,,  
/data/tls/ca/XXXXXXServerCA2015.crt                          C,,  
Server-Cert                                                  u,u,u
6b70de8c74e9:/data/config # certutil -K -d . -f pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      f6112f5e250e3b84034fa1272e43354d6715a3e5   (orphan)
< 1> rsa      6cc26b19c14150f6cb27aa3dee09795ed48cd8db   Server-Cert
6b70de8c74e9:/data/config #

Looks like the ssca directory and some self-signed CA and cert
get always installed, even if a complete CA chain and a server cert
is provided.

openssl s_client -connect
depth=2 C = DE, ST = XXXXXXXX, O = XXXXXXX, CN = XXXXXXX ROOT CA 2015, emailAddress =
verify error:num=19:self signed certificate in certificate chain

An orphan key doesn't look nice, but I am more worried about the unnecessary
stuff in the databases and the failing openssl certificate validation.

Feedback is very welcome :-)

Thanks and best regards,

Dipl.-Inform. Univ. Lutz Berger
Kettwiger Straße 43
45468 Mülheim an der Ruhr
Telefon: +49 208 88351714
Telefax: +49 208 88351707
Mobil: +49 173 3289783
USt-IdNr.: DE280466318

No comments:

Post a Comment