[Freeipa-users] External CA

Martin Kosek mkosek at redhat.com
Fri Nov 8 08:01:00 UTC 2013 

Thanks for heads up. You mean by the difference between "O=MW" and
"O=MELTWATER.COM"?

Petr, is this possible? Can it be validated in the the installer if this is the
root cause?

Martin

On 11/08/2013 01:55 AM, William Leese wrote:
> I was able to solve this by recreating my test CA. I believe the problem
> was with non-matching Organisation between the CSR and CA - but I dont have
> the knowledge to know if this is really required.
> 
> Anyhow, things work, despite not having removed the "-----BEGIN
> CERTIFICATE-----" lines this time around.
> 
> Thanks for the help and sorry for wasting your time!
> 
> 
> --
> William Leese
> Production Engineer,
> Operations, Asia Pacific
> Meltwater Group
> m: +81 80 4946 0329
> skype: william.leese1
> w: meltwater.com
> 
> This email and any attachment(s) is intended for and confidential to the
> addressee. If you are neither the addressee nor an authorized recipient for
> the addressee, please notify us of receipt, delete this message from your
> system and do not use, copy or disseminate the information in, or attached
> to it, in any way. Our messages are checked for viruses but please note
> that we do not accept liability for any viruses which may be transmitted in
> or with this message.
> 
> 
> 
> On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin <pviktori at redhat.com> wrote:
> 
>> On 11/07/2013 08:34 AM, William Leese wrote:
>>
>>>
>>>         [root at vagrant-centos-6 CA]# cat /root/server.pem
>>>         Certificate:
>>>               Data:
>>>                   Version: 3 (0x2)
>>>                   Serial Number: 2 (0x2)
>>>                   Signature Algorithm: sha1WithRSAEncryption
>>>                   Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
>>>         CN=vagrant.localdomain/__emailAddress=t at t.com <mailto:t at t.com>
>>>         <mailto:t at t.com <mailto:t at t.com>>
>>>
>>>
>>>                   Validity
>>>                       Not Before: Nov  6 05:12:09 2013 GMT
>>>                       Not After : Nov  6 05:12:09 2014 GMT
>>>                   Subject: O=MELTWATER.COM <http://MELTWATER.COM>
>>>         <http://MELTWATER.COM>, CN=Certificate
>>>
>>>         Authority
>>>         [snip]
>>>         -----BEGIN CERTIFICATE-----
>>>         MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK
>>> __UDEL
>>>         MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV
>>> __BAsM
>>>         A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3
>>> __DQEJ
>>>
>>>         [snip]
>>>
>>>
>>>     Try removing everything before the -----BEGIN CERTIFICATE----- line
>>>     from the PEM.
>>>
>>> Well that was unexpected: removing the BEGIN Certificate / End lines now
>>> makes the install proceed up until:
>>>
>>> The log file for this installation can be found in
>>> /var/log/ipaserver-install.log
>>> The PKCS#10 certificate is not signed by the external CA (unknown issuer
>>> E=x at x.com <mailto:x at x.com>,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=
>>> JP,C=JP).
>>>
>>
>> Can you please post more (all) of /var/lig/ipaserver-install.log? We need
>> to know where exactly the issue is occuring and what the traceback is.
>>
>>
>>  Do I need to do anything to make my freshly created internal CA trusted
>>> for the installation? I've tried the usual magic in /etc/pki/tls/certs,
>>> but to no avail.
>>>
>>
>> No, --external_ca_file should have been enough.
>>
>> --
>> Petrł
>>
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list