[Freeipa-users] CA-less replica setup and trouble with cert chain
Mike Oliver
mikeo at bixly.com
Tue Jul 28 22:56:04 UTC 2015
Hi folks,
We're trying to add a FreeIPA (4.1; CentOS 7) replica to our
infrastructure and keep running into an issue that prevents us from
preparing the replica.
We're using the CA-less setup where FreeIPA is using a wildcard
certificate provided by RapidSSL. I started trying to create the replica
using the information provided here :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
But since we're not using a CA, it tells me that I need to specify
--http-cert-file and --dirsrv-cert-file. I create a p12 file that
includes the wildcard cert and the rest of the certs in the chain with:
$ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey
wildcard.key -name "replica01" -out replica01.mydomain.com.p12
I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12
I see our wildcard certificate, RapidSSL's intermediate certificate, and
the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.
Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
--http-cert-file=replica01.mydomain.com.p12 \
--dirsrv-cert-file=replica01.mydomain.com.p12 \
--ca /etc/ipa/ca.crt \
-v
I get the following error after the debug output reports a series of
calls to certutil:
ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
self.ask_for_options()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 262, in ask_for_options
options.http_cert_name)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 162, in load_pkcs12
host_name=self.replica_fqdn)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 799, in load_pkcs12
(", ".join(cert_files)))
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: ScriptError: The full
certificate chain is not present in replica01.mydomain.com.p12
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
full certificate chain is not present in replicate01.mydomain.com.p12
The chain certainly looks to be complete given the output of pk12util,
but it's possible I'm just building the file wrong for use with FreeIPA.
What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting
and how should I go about generating the certificate used by
'ipa-replica-prepare' with a CA-less configuration?
Thanks all,
--
Mike Oliver
More information about the Freeipa-users
mailing list