[Freeipa-users] install with external CA failed
Jan Cholasta
jcholast at redhat.com
Mon Mar 10 14:44:01 UTC 2014
Hi,
On 6.3.2014 05:42, Robert Story wrote:
> Hi,
>
> I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) and an
> external CA. I'm getting this error:
>
> Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-jNYt3P -r /ca/agent/ca/profileReview?requestId=6 auth.lan:9443' returned non-zero exit status 4
>
> I found a thread from back in 2012 with exact same symptoms:
>
> https://www.redhat.com/archives/freeipa-users/2012-May/msg00357.html
>
> Unfortunately, the thread died out without any resolution/fix. When I run
> the suggested commands from that thread, I get the same results the OP did..
>
> #certutil -L -d /tmp/tmp-jNYt3P/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> ipa-ca-agent u,u,u
> Certificate Authority - xxx CT,C,C
> testnick P,,
> xxx Certificate Authority - xxx CT,C,C
>
> # certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-jNYt3P/
> certutil: certificate is invalid: Issuer certificate is invalid.
Can you please run certutil -V on the issuer certificate (CN=Certificate
Authority,O=xxx)? That might give us a clue why it is invalid.
>
> # certutil -L -n ipa-ca-agent -d /tmp/tmp-jNYt3P/
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 5 (0x5)
> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: "CN=Certificate Authority,O=xxx"
> Validity:
> Not Before: Thu Mar 06 04:17:13 2014
> Not After : Wed Feb 24 04:17:13 2016
> Subject: "CN=ipa-ca-agent,O=xxx"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> bf:0c:5b:f0:14:9e:0f:26:91:21:66:62:95:0c:4d:04:
> e5:ec:96:6f:a1:3b:a8:05:de:1b:40:a7:7c:59:55:c4:
> 1e:a0:62:3d:7a:50:e8:c4:8b:d7:5d:cd:55:b2:e7:f9:
> 63:f6:43:75:1e:3d:3c:ac:51:a4:81:94:6b:e5:7f:94:
> d7:b2:aa:8d:e8:b6:50:f2:24:96:76:8d:5f:e9:aa:43:
> 07:97:c8:06:2e:dc:22:9b:d1:2e:90:24:d8:07:94:33:
> d1:0f:44:e5:14:37:3c:96:ee:24:e0:07:91:f1:ee:c8:
> c4:01:e9:85:d8:35:eb:42:92:8a:58:c3:ae:e8:7d:27:
> 4d:2d:cb:b8:97:0b:5d:e0:3c:99:8a:a8:a2:b7:e2:10:
> 61:2b:77:33:87:ea:59:16:87:f7:f7:43:cf:c2:7b:60:
> 3a:fc:44:2f:9e:9c:56:bc:99:0c:d0:e9:08:d6:db:f5:
> b1:d2:5e:28:45:d2:8f:71:1d:49:e9:41:c6:d2:e0:03:
> ac:85:ea:51:c6:17:5d:ed:eb:a5:11:86:40:37:cf:49:
> d3:cc:11:f1:3f:17:61:38:52:fa:12:a6:a0:bf:61:74:
> aa:3e:87:bd:ff:d1:eb:d7:c5:d7:d5:90:8f:d6:d6:e1:
> ab:d0:1f:db:91:8e:ff:d1:52:e3:6a:7a:fe:20:b3:53
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Certificate Authority Key Identifier
> Key ID:
> b5:5e:45:9f:e9:71:c5:11:a2:6c:6c:06:00:be:02:ad:
> 8e:ae:76:1b
>
> Name: Authority Information Access
> Method: PKIX Online Certificate Status Protocol
> Location:
> URI: "http://auth.lan:80/ca/ocsp"
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> TLS Web Client Authentication Certificate
> E-Mail Protection Certificate
>
> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> 91:e8:3c:26:1e:e6:24:35:64:95:92:10:79:9b:c3:3f:
> 3d:6c:7b:db:56:bd:98:85:31:4a:2c:6c:1f:76:e4:74:
> 8a:90:49:43:6d:16:63:f9:cc:9b:89:bd:bc:5c:fa:3b:
> 55:9e:a8:54:ce:61:fa:62:61:cf:b5:47:54:e5:70:f6:
> d0:a0:a6:56:bf:1e:19:4d:f3:95:8a:70:1f:43:c2:6b:
> 85:bf:dd:90:6a:13:f7:58:9d:b2:40:88:d6:3a:d1:84:
> 2e:7f:b8:b8:e1:f9:5f:83:c5:d4:55:c4:a7:1a:28:a4:
> 64:fc:ac:78:3b:43:a0:00:78:db:f1:cc:a6:b6:11:70:
> 64:2f:43:d2:74:a5:2a:50:91:e0:8d:8c:82:c5:1a:5c:
> dd:00:60:62:55:be:0a:ea:b9:75:0f:8d:0e:40:cd:26:
> 9c:63:08:3f:7d:79:c5:6b:73:fd:26:60:d3:e4:59:1e:
> 1d:0f:82:ea:eb:23:b3:b4:59:7f:a9:87:e8:01:c7:aa:
> 7b:c0:dd:0a:f0:4d:da:90:c9:57:00:4b:86:ea:58:22:
> ff:45:11:18:25:de:09:ee:a4:7a:4a:ea:8f:17:c9:ad:
> 38:15:af:fa:c0:f3:fb:1c:6c:e1:69:1f:99:4e:fe:a2:
> eb:66:92:77:3a:5d:8f:7a:63:9b:14:ea:95:3e:c7:e9
> Fingerprint (MD5):
> 96:68:7A:76:9F:06:78:BC:67:85:0C:82:A8:43:14:6B
> Fingerprint (SHA1):
> 99:7D:9F:1B:F4:A7:52:9F:CF:BF:23:4F:5B:1A:90:22:19:14:37:16
>
> Certificate Trust Flags:
> SSL Flags:
> User
> Email Flags:
> User
> Object Signing Flags:
> User
>
> ... and so on...
>
> Any suggestions from anyone who has gotten an external-ca install to work?
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list