[Freeipa-users] CA cert issues

Orion Poplawski orion at cora.nwra.com
Wed Jan 16 23:52:24 UTC 2013 

On 01/16/2013 04:28 PM, Orion Poplawski wrote:
> I've installed ipa 2.2 on EL6.  I initially simply did an ipa-server-install.
>   Then I changed the cert used via ipa-server-certinstall to use a wildcard
> SSL cert issued by Comodo.  This has led to a lot of grief and needing to
> install the Comodo CA chain into lots of SSL dbs.
>
> Now I'm looking at replicating the server with:
>
> ipa-replica-prepare ipapub.cora.nwra.com
> --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=xxxxx
> --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xxxxxx
>
> But I get:
>
> Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
> Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
> Creating SSL certificate for the dogtag Directory Server
> ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
> trusted by the user.)
> preparation of replica failed: cannot connect to
> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
> as not trusted by the user.
> cannot connect to
> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
> as not trusted by the user.
>    File "/usr/sbin/ipa-replica-prepare", line 459, in <module>
>      main()
>
>    File "/usr/sbin/ipa-replica-prepare", line 353, in main
>      export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert",
> replica_fqdn, subject_base)
>
>    File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
>      raise e
>
> Any suggestions?
>
> I don't really understand how the dogtag ca fits in with this scenario. Should
> I just get rid of it?  Can I?
>

I (re?) added the dogtag ca cert to the /etc/httpd/alias db:

certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a > 
IPACA.asc

certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu

Now I get:

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Certificate issuance failed

/var/log/pki-ca/debug shows:

[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter 
requestor_name='IPA Installer'
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter 
xmlOutput='true'
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter 
profileId='caIPAserviceCert'
[16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input Parameters
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId 
caIPAserviceCert
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator 
raCertAuth found
[16/Jan/2013:16:46:35][http-9444-2]: 
ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs into 
profile Context
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set 
sslClientCertProvider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start
[16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is raCertAuth
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving client 
certificate
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL Client 
Certs Found
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authentication 
error Invalid Credential.

What cert needs to be created?  Aren't I already specifying the certs for the 
new server?

Thanks.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list