Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6333: Group Policy does not update System default certificate and CRL store that cURL uses

Centrify DirectControl ,  

23 February,16 at 07:40 PM

Applies to:

Centrify DirectControl 5.2.3 on All Versions of RedHat Enterprise Linux


Problem:

CA root certificates pushed via GPO are being copied to folder /var/centrify/net/certs/, but the certs are not being appended to the /etc/pki/tld-ca-bundle.cert files.

When running the curl command getting the following error:

[root@centrify /]# curl https://example.centrify.com
curl: (77) error setting certificate verify locations:
CAfile: /usr/share/centrifydc/certs/ca-certs.crt
CApath: none


Cause:

With Centrify's distribution of cURL versions 5.2.3 and earlier, a non-standard CA store is referenced instead of the default CA store. (/usr/share/centrifydc/certs/ca-certs.crt)

On RHEL, cURL is configured by default to point to the ca cert path, /etc/pki/tls/certs/ca-bundle.crt, unless it is configured with a different path via the '--with-ca-bundle' option. This matches the default for openssl.

When curl is run without --cacert option, the GPO pushed CA root cert is not in the default ca-bundle.crt, thus causing failed SSL verification.


Workaround:

Apply 'CertGP-patch.zip' patch attached to this KB

This patch contains the modified version of rhel_certgp.pl and the curl wrapper script, that will append the CA root certificate to the system default store. (/etc/pki/tls/certs/ca-bundle.crt)

After unzipping the package, please:
  1. copy the rhel_certgp.pl to /usr/share/centrifydc/mappers/machine/
  2. copy the curl to /usr/share/centrifydc/bin/

To apply the changes immediately:
  • Run '/usr/bin/adgpupdate'

To verify:
  • Check /etc/pki/ca-trust/source/anchors/ to list the files. The pushed GPO trusted certificates are named as trust_*.cert.


Resolution:

This is fixed in version 5.3.0 of Centrify DirectControl (Suite 2016)



Note:

There are a few limitations with this workaround and fix :
  1. Centrify only supports /etc/pki/tls/certs/ca-bundle.crt as the default system store location. For cURL that is pre-built with location other than the default, users should use --CAfile <to-store> to overwrite when invoking cURL.
  2. For openssl s_client, the -CAfile option will need to be used to point to the default store, /etc/pki/tls/certs/ca-bundle.crt. This limitation is from openssl s_client command.
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles