Centrify DirectControl 5.2.3 on All Versions of RedHat Enterprise LinuxProblem:
CA root certificates pushed via GPO are being copied to folder /var/centrify/net/certs/, but the certs are not being appended to the /etc/pki/tld-ca-bundle.cert files.
When running the curl command getting the following error:
[root@centrify /]# curl https://example.centrify.com
curl: (77) error setting certificate verify locations:
With Centrify's distribution of cURL versions 5.2.3 and earlier, a non-standard CA store is referenced instead of the default CA store. (/usr/share/centrifydc/certs/ca-certs.crt)
On RHEL, cURL is configured by default to point to the ca cert path, /etc/pki/tls/certs/ca-bundle.crt, unless it is configured with a different path via the '--with-ca-bundle' option. This matches the default for openssl.
When curl is run without --cacert option, the GPO pushed CA root cert is not in the default ca-bundle.crt, thus causing failed SSL verification.Workaround:
Apply 'CertGP-patch.zip' patch attached to this KB
This patch contains the modified version of rhel_certgp.pl and the curl wrapper script, that will append the CA root certificate to the system default store. (/etc/pki/tls/certs/ca-bundle.crt)
After unzipping the package, please:
- copy the rhel_certgp.pl to /usr/share/centrifydc/mappers/machine/
- copy the curl to /usr/share/centrifydc/bin/
To apply the changes immediately:
- Run '/usr/bin/adgpupdate'
- Check /etc/pki/ca-trust/source/anchors/ to list the files. The pushed GPO trusted certificates are named as trust_*.cert.
This is fixed in version 5.3.0 of Centrify DirectControl (Suite 2016)Note:
There are a few limitations with this workaround and fix :
- Centrify only supports /etc/pki/tls/certs/ca-bundle.crt as the default system store location. For cURL that is pre-built with location other than the default, users should use --CAfile <to-store> to overwrite when invoking cURL.
- For openssl s_client, the -CAfile option will need to be used to point to the default store, /etc/pki/tls/certs/ca-bundle.crt. This limitation is from openssl s_client command.