[Freeipa-users] Public CA signed Certificate import failure

James Roman james_roman at ssaihq.com
Tue Jul 21 14:12:02 UTC 2009 

Rob Crittenden wrote:
> James Roman wrote:
>> First off, thanks Rob for the direction on creating a certificate. 
>> After reading up on Mozilla's NSS, I think I've got a pretty fair 
>> grounding.
>>
>> So I successfully generated a CSR and had it signed. I imported my 
>> certificate and CA chain into the NSS database and exported it to a 
>> PKCS12 cert. I am primarily concerned with using the public cert on 
>> the HTTP interface. However, when I go to import it using 
>> ipa-server-certificate, it chokes on the names in the CA certificate 
>> chain. (One of the certs uses full website address for the name.) I 
>> can manually import each of the certificates in the CA chain using 
>> certutil on the /etc/httpd/alias directory.
>
> What do you mean by choke? Do you have a python backtrace or can you 
> send me the ipaserver-install.log?
Here is what I get when importing the p12 file using 
"ipa-server-certinstall". The reasons for the errors are fairly 
self-evident when you see how it parses the command line arguments.

# ipa-server-certinstall -w 
/data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx 
--http_pin='mysecretpin'
an unexpected error occurred: Command '/usr/bin/certutil -d 
/etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go 
Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t 
CT,CT,' returned non-zero exit status 255
Traceback (most recent call last):
  File "/usr/sbin/ipa-server-certinstall", line 137, in main
    server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
  File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert
    cdb.trust_root_cert(server_cert[0])
  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, 
in trust_root_cert
    "-t", "CT,CT,"])
  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, 
in run_certutil
    return ipautil.run(new_args, stdin)
  File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
    raise CalledProcessError(p.returncode, ' '.join(args))
CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n 
Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 
Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned 
non-zero exit status 255

I'm left with most of the certificate chain
>
>> Will this work?
>> Are there any other configuration changes that I need to make the 
>> http interface function properly (like changes in the nss.conf)?
>> What about manually modifying the directory server 
>> (/etc/dirsrv/slapd-KRBDOMAIN)?
>>
>
> What distro are you using?
>
> rob
Fedora 9

More information about the Freeipa-users mailing list