[Freeipa-users] install with external CA failed

[Robert Story]

Hi,

I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) and an
external CA. I'm getting this error:

Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-jNYt3P -r /ca/agent/ca/profileReview?requestId=6 auth.lan:9443' returned non-zero exit status 4

I found a thread from back in 2012 with exact same symptoms:

  https://www.redhat.com/archives/freeipa-users/2012-May/msg00357.html

Unfortunately, the thread died out without any resolution/fix. When I run
the suggested commands from that thread, I get the same results the OP did..

#certutil -L -d /tmp/tmp-jNYt3P/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ipa-ca-agent                                                 u,u,u
Certificate Authority - xxx                   CT,C,C
testnick                                                     P,,  
xxx Certificate Authority - xxx            CT,C,C

# certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-jNYt3P/
certutil: certificate is invalid: Issuer certificate is invalid.

# certutil -L -n ipa-ca-agent -d /tmp/tmp-jNYt3P/
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=xxx"
        Validity:
            Not Before: Thu Mar 06 04:17:13 2014
            Not After : Wed Feb 24 04:17:13 2016
        Subject: "CN=ipa-ca-agent,O=xxx"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    bf:0c:5b:f0:14:9e:0f:26:91:21:66:62:95:0c:4d:04:
                    e5:ec:96:6f:a1:3b:a8:05:de:1b:40:a7:7c:59:55:c4:
                    1e:a0:62:3d:7a:50:e8:c4:8b:d7:5d:cd:55:b2:e7:f9:
                    63:f6:43:75:1e:3d:3c:ac:51:a4:81:94:6b:e5:7f:94:
                    d7:b2:aa:8d:e8:b6:50:f2:24:96:76:8d:5f:e9:aa:43:
                    07:97:c8:06:2e:dc:22:9b:d1:2e:90:24:d8:07:94:33:
                    d1:0f:44:e5:14:37:3c:96:ee:24:e0:07:91:f1:ee:c8:
                    c4:01:e9:85:d8:35:eb:42:92:8a:58:c3:ae:e8:7d:27:
                    4d:2d:cb:b8:97:0b:5d:e0:3c:99:8a:a8:a2:b7:e2:10:
                    61:2b:77:33:87:ea:59:16:87:f7:f7:43:cf:c2:7b:60:
                    3a:fc:44:2f:9e:9c:56:bc:99:0c:d0:e9:08:d6:db:f5:
                    b1:d2:5e:28:45:d2:8f:71:1d:49:e9:41:c6:d2:e0:03:
                    ac:85:ea:51:c6:17:5d:ed:eb:a5:11:86:40:37:cf:49:
                    d3:cc:11:f1:3f:17:61:38:52:fa:12:a6:a0:bf:61:74:
                    aa:3e:87:bd:ff:d1:eb:d7:c5:d7:d5:90:8f:d6:d6:e1:
                    ab:d0:1f:db:91:8e:ff:d1:52:e3:6a:7a:fe:20:b3:53
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                b5:5e:45:9f:e9:71:c5:11:a2:6c:6c:06:00:be:02:ad:
                8e:ae:76:1b

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://auth.lan:80/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Client Authentication Certificate
                E-Mail Protection Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        91:e8:3c:26:1e:e6:24:35:64:95:92:10:79:9b:c3:3f:
        3d:6c:7b:db:56:bd:98:85:31:4a:2c:6c:1f:76:e4:74:
        8a:90:49:43:6d:16:63:f9:cc:9b:89:bd:bc:5c:fa:3b:
        55:9e:a8:54:ce:61:fa:62:61:cf:b5:47:54:e5:70:f6:
        d0:a0:a6:56:bf:1e:19:4d:f3:95:8a:70:1f:43:c2:6b:
        85:bf:dd:90:6a:13:f7:58:9d:b2:40:88:d6:3a:d1:84:
        2e:7f:b8:b8:e1:f9:5f:83:c5:d4:55:c4:a7:1a:28:a4:
        64:fc:ac:78:3b:43:a0:00:78:db:f1:cc:a6:b6:11:70:
        64:2f:43:d2:74:a5:2a:50:91:e0:8d:8c:82:c5:1a:5c:
        dd:00:60:62:55:be:0a:ea:b9:75:0f:8d:0e:40:cd:26:
        9c:63:08:3f:7d:79:c5:6b:73:fd:26:60:d3:e4:59:1e:
        1d:0f:82:ea:eb:23:b3:b4:59:7f:a9:87:e8:01:c7:aa:
        7b:c0:dd:0a:f0:4d:da:90:c9:57:00:4b:86:ea:58:22:
        ff:45:11:18:25:de:09:ee:a4:7a:4a:ea:8f:17:c9:ad:
        38:15:af:fa:c0:f3:fb:1c:6c:e1:69:1f:99:4e:fe:a2:
        eb:66:92:77:3a:5d:8f:7a:63:9b:14:ea:95:3e:c7:e9
    Fingerprint (MD5):
        96:68:7A:76:9F:06:78:BC:67:85:0C:82:A8:43:14:6B
    Fingerprint (SHA1):
        99:7D:9F:1B:F4:A7:52:9F:CF:BF:23:4F:5B:1A:90:22:19:14:37:16

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

... and so on...

Any suggestions from anyone who has gotten an external-ca install to work?


Robert

--
Senior Software Engineer @ Parsons
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140305/aef3a358/attachment.sig>