[Freeipa-users] Installing Using Existing Certificate

Benjamin Reed ranger at opennms.org
Tue Sep 6 15:56:27 UTC 2011 

I've gotten a GeoTrust certificate for the host I'm attempting to put
FreeIPA onto (connect.opennms.com) and I'm now trying to set up an IPA
server on RHEL 6 and I'm running into an error.  I have a feeling I'm
missing something obvious and/or fundamental.  =)

First, I made a .pfx (PKCS12) file by taking my private key, the 2 CA
certificates from GeoTrust, and the certificate and putting them into a
.pem, then using openssl to generate a PKCS12 version of it.

Then, I ran:

ipa-server-install --http_pkcs12=/etc/pki/tls/certs/connect.pfx \
    --dirsrv_pkcs12=/etc/pki/tls/certs/connect.pfx  \
    --dirsrv_pin=XXX --http_pin=XXX

I accept all of the defaults:

---(snip!)---
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [connect.opennms.com]:

The domain name has been calculated based on the host name.

Please confirm the domain name [opennms.com]:

The IPA Master Server will be configured with
Hostname:    connect.opennms.com
IP address:  66.135.60.215
Domain name: opennms.com

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [OPENNMS.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

...

  [13/32]: enabling entryUSN plugin
  [14/32]: configuring lockout plugin
  [15/32]: creating indices
  [16/32]: configuring ssl for ds instance
Unexpected error - see ipaserver-install.log for details:
 Could not find a CA cert in /etc/pki/tls/certs/connect.pfx
---(snip!)---

...is the issue that I really need a *.opennms.com certificate, or that
I need to make my domain/realm "connect.opennms.com" ?

-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/

More information about the Freeipa-users mailing list