<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/13/2015 01:47 PM, Johnny Tan
wrote:<br>
</div>
<blockquote
cite="mid:CABMVzL2rkJOihZ=4-NEVd2w47R-P7UmfZek9FvjM035YOGa0Og@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:12.8000001907349px">On
Wed, Mar 4, 2015 at 5:56 PM, Dmitri Pal </span><span
dir="ltr"
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:12.8000001907349px"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:12.8000001907349px"> </span><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:12.8000001907349px">wrote:</span><br>
</div>
<span class="im"
style="font-family:arial,sans-serif;font-size:12.8000001907349px">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span
style="color:rgb(34,34,34)"><span class="">IPA</span> does
not use certs for communication between the instances.
It uses Kerberos. I am not sure the DoDaddy cert you
added is even used in some way by <span class="">IPA</span>.</span></div>
</blockquote>
<div><br>
</div>
</span>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Dmitri
or Rob:</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Could
you explain what the various uses of the <span class="">IPA</span> certs
are, then? AFAICT, the <span class="">IPA</span> masters
generate a certificate for each node in the realm. Why does it
do that? I thought it was for:</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">-
Webui/api (apache) communication over https.</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">-
LDAP binding/communication over 636 (TLS).</div>
</div>
</blockquote>
<br>
Rob would definitely know more but IPA mostly provides certs for the
infra it serves and has a limited use of the certs by itself.<br>
So here is where I know it is used:<br>
- You can issue certs for hosts and services and installer used to
create certs for host automatically though these certs are not used
for anything and we decided not to create them automatically any
more.<br>
- You need to trust IPA in browser so that you can do a forms based
authentication if you do not have a kerberos ticket.<br>
- To issue certs we use Dogtag and Dogtag understands only cert
based authentication so internally the communication between the
managment framework and Dogtag uses SSL. This is actually why the
host-del fails. The host had a cert issued by IPA CA so as part of
the del operation it tries to revoke the cert but since you
reconfigured the sustem to use be CA less it can't and fails.<br>
<br>
The communication between the LDAP servers is Kerberos
authenticated.<br>
<br>
<blockquote
cite="mid:CABMVzL2rkJOihZ=4-NEVd2w47R-P7UmfZek9FvjM035YOGa0Og@mail.gmail.com"
type="cite">
<div dir="ltr">
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">But
if the certs are not utilized for communication between the
instances (per statement above), what are they used for?</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">I'm
not hijacking the thread, I'm actually in the exact same
position as OP. I replaced the self-signed <span class="">IPA</span>/dogtag <span
class="">CA</span> root with one that was signed by our own <span
class="">CA</span> and am now having problems with various
cert errors during client enrollment or any other similar
activity (like doing an '<span class="">ipa</span> host-del'
directly on an <span class="">IPA</span> master).</div>
</div>
</blockquote>
<br>
We have a special tool in Freeipa 4.2 to do this. The manual
procedure is cumbersome and leads to issues like this.<br>
<br>
<blockquote
cite="mid:CABMVzL2rkJOihZ=4-NEVd2w47R-P7UmfZek9FvjM035YOGa0Og@mail.gmail.com"
type="cite">
<div dir="ltr">
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">I
can post those details in a separate thread, but before I go
down that path, I want to better understand what the purpose
of the certs are so I can deterine what's the best path
forward for us.</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">As
I understand it from the docs, there are three primary ways to
run <span class="">IPA</span> with respect to a <span class="">CA</span>:</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">-
self-signed <span class="">IPA</span> <span class="">CA</span>,
this is the default</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">-
signing the <span class="">IPA</span> <span class="">CA</span> root
with an "external"/3rd-party <span class="">CA</span></div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">-
running "<span class="">CA</span>-less" and providing all
certs with the external/3rd-party <span class="">CA</span> (depending
on what the use/purpose of the certs are, this is increasingly
becoming an attractive option but is likely also tedious in
its own right)</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
</div>
</blockquote>
<br>
You are correct here.<br>
<br>
<blockquote
cite="mid:CABMVzL2rkJOihZ=4-NEVd2w47R-P7UmfZek9FvjM035YOGa0Og@mail.gmail.com"
type="cite">
<div dir="ltr">
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Thanks
for any insight.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Mar 4, 2015 at 5:56 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 03/04/2015 04:32 PM, sipazzo wrote:<br>
</div>
<blockquote type="cite">
<div
style="color:#000;background-color:#fff;font-family:bookman
old style,new york,times,serif;font-size:13px">
<div dir="ltr">Good afternoon, we have a freeipa
3.0.42 installation running on redhead 6.6 with
a mix of rhel 5, rhel6 and Solaris clients. It
was originally configured with the built in
dogtag certificate CA and then one of my
co-workers added our GoDaddy certificate to the
certificate bundle. My understanding is this
cert is used for communication between the ipa
servers as well as the clients are also
configured to trust the GoDaddy certificate. We
recently had to get a new GoDaddy cert so our
old one is revoked. I need to figure out how to
either replace the existing revoked cert with
the new one or add the new one to the bundle and
then remove the revoked certificate so as not to
break anything.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Any help is appreciated. I am not
strong with certificates so the more detail you
can give the better.</div>
<div dir="ltr">Thank you.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
You say it was running with the self signed IPA CA and
than GoDaddy cert was added to the bundle. How was it
added?<br>
IPA does not use certs for communication between the
instances. It uses Kerberos. I am not sure the DoDaddy
cert you added is even used in some way by IPA.<br>
It seems that your GoDaddy cert is an orthogonal trust so
if you replaced the main key pair then you just need to
distribute your new GoDaddy cert to the clients as you did
on the first place.<span class="HOEnZb"><font
color="#888888"><br>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>