[Freeipa-users] CA cert issues
Orion Poplawski
orion at cora.nwra.com
Wed Jan 16 23:52:24 UTC 2013
On 01/16/2013 04:28 PM, Orion Poplawski wrote:
> I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install.
> Then I changed the cert used via ipa-server-certinstall to use a wildcard
> SSL cert issued by Comodo. This has led to a lot of grief and needing to
> install the Comodo CA chain into lots of SSL dbs.
>
> Now I'm looking at replicating the server with:
>
> ipa-replica-prepare ipapub.cora.nwra.com
> --dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=xxxxx
> --http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xxxxxx
>
> But I get:
>
> Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
> Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
> Creating SSL certificate for the dogtag Directory Server
> ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
> trusted by the user.)
> preparation of replica failed: cannot connect to
> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
> as not trusted by the user.
> cannot connect to
> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
> as not trusted by the user.
> File "/usr/sbin/ipa-replica-prepare", line 459, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-prepare", line 353, in main
> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert",
> replica_fqdn, subject_base)
>
> File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
> raise e
>
> Any suggestions?
>
> I don't really understand how the dogtag ca fits in with this scenario. Should
> I just get rid of it? Can I?
>
I (re?) added the dogtag ca cert to the /etc/httpd/alias db:
certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a >
IPACA.asc
certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu
Now I get:
Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Certificate issuance failed
/var/log/pki-ca/debug shows:
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter
requestor_name='IPA Installer'
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter
xmlOutput='true'
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter
profileId='caIPAserviceCert'
[16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input Parameters
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId
caIPAserviceCert
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator
raCertAuth found
[16/Jan/2013:16:46:35][http-9444-2]:
ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs into
profile Context
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set
sslClientCertProvider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start
[16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is raCertAuth
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving client
certificate
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL Client
Certs Found
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authentication
error Invalid Credential.
What cert needs to be created? Aren't I already specifying the certs for the
new server?
Thanks.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list