[Freeipa-users] Installing a new Cert

Martin Kosek mkosek at redhat.com
Tue Aug 26 20:12:55 UTC 2014 

Thanks for sharing your (rather painful) experience, I am glad you made it 
working in the end.

Just note that we are currently (read FreeIPA 4.0.x and FreeIPA 4.1) working 
making the cert operations in the installers smoother so that after so that 
people like you would have much easier job.

Martin

On 08/26/2014 05:19 PM, Chris Whittle wrote:
> This actually died after restart so I ended up starting over...
>
> So here is the process I did that looks like it works and also survives restart
>
> Step 1 - Before install
> http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894--
> start at Convert crt file in PEM format and do that whole section completely
>
> Step 2 - Install IPA server using the p12 file from before and also the
> intermediate.crt from your provider (I'm not sure why this isn't documented
> anywhere but I found it in my searches)
>
> ipa-server-install --http_pkcs12 DOMAIN.COM.p12  --dirsrv_pkcs12
> collectivebias.com.p12 --root-ca-file intermediate.crt
>
> Step 3 - re add certs (for some reason I don't know but it's needed) (from
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP)
>
> ipa-server-certinstall -w --http_pin=PKPASSWORD DOMAIN.COM.p12
> ipa-server-certinstall -d --dirsrv_pin=PKPASSWORD DOMAIN.COM.p12
>
> Step 4 reboot
> Step 5 You can dance if you wanna...
>
>
>
> On Mon, Aug 25, 2014 at 2:02 PM, Chris Whittle <cwhittl at gmail.com
> <mailto:cwhittl at gmail.com>> wrote:
>
>     I spoke a little too soon... It's working fine (browser is using new cert
>     and also ldaps is using the new cert) except when you go to the certs page
>     on the ui.
>     https://DOMAIN/ipa/ui/#/e/cert/search
>
>
>       An error has occurred (IPA Error 4301: CertificateOperationError)
>
>     Certificate operation cannot be completed: Unable to communicate with CMS
>     (Internal Server Error)
>
>
>
>     On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle <cwhittl at gmail.com
>     <mailto:cwhittl at gmail.com>> wrote:
>
>         ok I think I got it again...  If anyone is looking for this here is the
>         answer that worked for me....
>
>          1. Here are the steps
>              1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894
>                 -- start at Convert crt file in PEM format and do that whole
>                 section completely
>              2. Then with the p12 from above you get do this (skip the line
>                 about generating a new one)
>                 http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>                  1. If you run across the error "/etc/ipa/ca.crt contains more
>                     than one certificate" you will need to go into
>                     /etc/ipa/ca.crt, back it up and then try removing one of
>                     the certs and try ipa-server-certinstall from above again
>                     (if it doesn't work revert ca.crt to the original and then
>                     remove the other)
>              3. Then restart the both instances (bottom of the freeipa link)
>                 and you should be good to go.
>
>
>         On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle <cwhittl at gmail.com
>         <mailto:cwhittl at gmail.com>> wrote:
>
>             I found this but I think it's just IPA certs?
>             http://www.freeipa.org/page/V4/CA_certificate_renewal
>
>             Basically I want to use my existing wildcard cert for https and
>             ldaps...
>             I did this on my 3.3 install on CentOS but now I'm on a 4 install
>             on Fedora Core.
>
>             Any help would be more than appreciated!
>             Thanks!
>
>
>             On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle <cwhittl at gmail.com
>             <mailto:cwhittl at gmail.com>> wrote:
>
>                 I have 4 installed and I get it when I try to generate the pk12
>
>                 On Aug 25, 2014 3:50 AM, "Jan Cholasta" <jcholast at redhat.com
>                 <mailto:jcholast at redhat.com>> wrote:
>
>                     Hi,
>
>                     Dne 25.8.2014 v 03:04 Chris Whittle napsal(a):
>
>                         Trying to do this
>                         http://www.freeipa.org/page/__Using_3rd_part_certificates___for_HTTP/LDAP
>                         <http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
>
>                         And I keep getting "Error unable to get local issuer
>                         certificate getting
>                         chain."
>
>
>                     Where are you getting this error? ipa-server-certinstall,
>                     or httpd, or somewhere else?
>
>                     What version of ipa do you have installed?
>
>
>                         I'm wondering if it's because of this from the doc
>                         "The certificate in mysite.crt must be signed by the CA
>                         used when
>                         installing FreeIPA."
>                         but it might not either...
>
>
>                     In this case you should get a "file.p12 is not signed by
>                     /etc/ipa/ca.crt, or the full certificate chain is not
>                     present in the PKCS#12 file" error in ipa-server-certinstall.
>
>
>                         Any ideas?
>
>
>
>                     Honza
>
>                     --
>                     Jan Cholasta
>
>
>
>
>
>
>

More information about the Freeipa-users mailing list