Highlighted
Respected Contributor.
Respected Contributor.
495 views

edir REST API x509: certificate specifies an incompatible key

Jump to solution

Good day everybody

I'm trying to set up the eDirectory REST services folowing the steps in this URL "https://www.netiq.com/documentation/edirectory-92/edir_admin/data/t48p80wuk3nd.html". without osp.

I've exported the following certificates via iManager:
-The certificate of the CA from eDir in b64 format (SSCert.pem)
-A standard certificate generated via iManager in a pfx format including the private key (keys.pfx)

When I start the container, it starts fine, printing the following output:

#>cat container-startup.log
Configuring eDirAPI Server...
Creating config mode file @ /etc/opt/novell/eDirAPI/conf/.configured
Generating key-pairs...Storing password securely...
Successfully written the password of admin,sa,system to the local secret config file
Setting IDCONSOLEMODE from Environment to false

However, the edirapi.log throws the following error:

#>cat edirapi.log
{"ldapServer":"192.168.56.202:636","level":"fatal","msg":"LDAP Result Code 200 \"Network Error\": x509: certificate specifies an incompatible key usage","time":"Friday, 11-Sep-20 02:06:49 UTC"}

I've tried different combinations of key usages in the pfx certificate but the error persists. I've also tried changing the "loglevel" to "debug/info" parameter in the "edirapi.conf" file but I haven't been able to get more details on this error.

Does anybody know what's the correct key usage specification for this certificate? Has anyone been able to set up this edirapi container?

We are running eDirectory for Linux x86_64 v9.2 [DS]

Thanks in advance for your help.

1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

Well, problem fix...... Now i'm using another edirectory machine running 9.1 v40101.39 and it works fine.

Now i'm gonna upgrade the edir 9.2 to 9.2.3 to see if it works too

View solution in original post

0 Likes
11 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

I works for me with a certificate that has these key usages:

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

I only used OAuth mode though.

--
Norbert
Tags (1)
Highlighted
Valued Contributor.
Valued Contributor.

Are you running eDir 9.2 or 9.2.2?

I had the container running perfectly in April, I checked after seeing your post and I'm now getting a similar error, this only difference on the eDir server is that I upgraded to 9.2.2. I'll recreate the certs and try, if not I'll rollback the server to 9.2 and try again.

Highlighted
Valued Contributor.
Valued Contributor.

How did you create your certs?

I've tested my instance without OSP today, server is SLES12SP4, eDirectory 9.21, iManager 3.2.1. I created a new server certificate,  selected the certificate for export, selected export private key and entered the pfx password, this will default to the PKCS12 format, saved the cert and renamed to keys.pfx, purely to follow the docs. I selected the existing ORG CA cert for export, unchecked the export private key option and chose base64 as the export format, saved the file and renamed it to SSCert.pem, again to follow the docs for consistency.

Copied them to the server and ran through the instructions again after deleting the old container and volume. started the container and it worked, I have tested the API in Postman and I have full functionality.

Did you use the custom server cert mechanism? I used the standard option when creating the server cert for the pfx export.

I have opened up my pfx cert to get the usage information, the server cert section has Key Usages Digital Signature and Key encipherment. The ORG CA certificate section has usage of Digital Signature

 

 

 

Highlighted
Respected Contributor.
Respected Contributor.

Hi,

I'm running edir 9.2 and created the certs just like you in imanager 3.2.0. The only difference its that i'm running docker on a Ubuntu machine.

Let me try with a SLES and let you know how it goes.

 

Regards

 

Highlighted
Respected Contributor.
Respected Contributor.

Hi, still the same error.

I tried creating the certificate with the custom and standard option on iManager.

My pfx cert has Key Usage: Digital Signature, Key Encipherment (a0).

edirapi.log:

{"ldapServer":"192.168.56.30:636","level":"fatal","msg":"LDAP Result Code 200 \"Network Error\": x509: certificate specifies an incompatible key usage","time":"Tuesday, 15-Sep-20 19:56:36 UTC"}

container-startup.log:

Configuring eDirAPI Server...
Creating config mode file @ /etc/opt/novell/eDirAPI/conf/.configured
Generating key-pairs...Storing password securely...
Successfully written the password of admin,sa,system to the local secret config file
Setting IDCONSOLEMODE from Environment to false
Setting IDCONSOLEMODE from Environment to false

 

Docker running on SLES15 SP1

iManager: 3.2.0

eDir: eDirectory 9.2 v40201.39

edirApi: 6b20045d32474d068a2156df16d1c02f eDirAPI_100.tar.gz

Any advice?

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

I can't think of anything unless something is wrong with the cert itself.

Do they look normal in view on SLES?

I see in mine that the SSCert.pem is a verified by nici machine cert, usage Digital Signature not critical.

The keys.pfx cert has 3 sections.

The first section has the cert nickname from creation denoting that it is a Private RSA key, no usage.

The second is the cert nickname, but this is the server cert, contains the server name the cert was created from, the ORG name, issuer name etc,  usage: Key Encipherment and Digital Signature, critical:no.

The third is the ORG CA chain, this has the ORG CA and issuer information, usage:Digital Signature, critical:no.

I'm not sure if there are any differences between SLES12 and 15, there shouldn't be from an eDirectory perspective. Both my eDirectory and Docker EE servers are SLES12SP4, nothing special in the build, I think I built the Docker one from media, the eDirectory server was built from my HTTP build source which is a pretty standard build I use for production servers.

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

I was looking at the error and the (a0) element and I can't find a reference to it in eDir, but I can find reference to it in MS, it seems to be the hex equivalent of the two key uses. I don't see this when I open the cert on SLES with view. It might only be a view thing, but you never know.

If it is something the CA doesn't understand, I would imagine it would throw a key usage error.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

HI,

Yes the (a0) element its just on windows cert view, i open the cert on sles and it just displays Usages: "Digital signature and Key encipherment"

Like Norbert says in the other post, i think it might be a problem with the LDAPS cert of my ldap server. I'm using the default SSL CertificateDNS.

 

I attach my keys.pfx and SSCert.pem in case you can take a look to them

 

Regards

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

LDAP Result Code 200 \"Network Error\": x509: certificate specifies an incompatible key usage

This might actually refer to the certificate of your LDAP server rather than the one for eDirAPI container.

What does that certificate look like?

--
Norbert
Tags (1)
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

I was using the default SSL CertificateDNS, i also change it to a new cert created on imanager and still the same error.

At this moment i'm evaluating the same scenario with another version of edir to look if the error is fix

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Well, problem fix...... Now i'm using another edirectory machine running 9.1 v40101.39 and it works fine.

Now i'm gonna upgrade the edir 9.2 to 9.2.3 to see if it works too

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.