[Freeipa-users] CA-less replica setup and trouble with cert chain

Mike Oliver mikeo at bixly.com
Tue Jul 28 22:56:04 UTC 2015 

Hi folks,

We're trying to add a FreeIPA  (4.1; CentOS 7) replica to our 
infrastructure and keep running into an issue that prevents us from 
preparing the replica.

We're using the CA-less setup where FreeIPA is using a wildcard 
certificate provided by RapidSSL. I started trying to create the replica 
using the information provided here : 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html

But since we're not using a CA, it tells me that I need to specify 
--http-cert-file and --dirsrv-cert-file. I create a p12 file that 
includes the wildcard cert and the rest of the certs in the chain with:
$ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey 
wildcard.key -name "replica01" -out replica01.mydomain.com.p12

I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12

I see our wildcard certificate, RapidSSL's intermediate certificate, and 
the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.

Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
     --http-cert-file=replica01.mydomain.com.p12 \
     --dirsrv-cert-file=replica01.mydomain.com.p12 \
     --ca /etc/ipa/ca.crt \
     -v

I get the following error after the debug output reports  a series of 
calls to certutil:
ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in 
execute
     self.ask_for_options()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 262, in ask_for_options
     options.http_cert_name)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", 
line 162, in load_pkcs12
     host_name=self.replica_fqdn)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 799, in load_pkcs12
     (", ".join(cert_files)))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The 
ipa-replica-prepare command failed, exception: ScriptError: The full 
certificate chain is not present in replica01.mydomain.com.p12
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The 
full certificate chain is not present in replicate01.mydomain.com.p12


The chain certainly looks to be complete given the output of pk12util, 
but it's possible I'm just building the file wrong for use with FreeIPA. 
What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting 
and how should I go about generating the certificate used by 
'ipa-replica-prepare' with a CA-less configuration?

Thanks all,

-- 
Mike Oliver

More information about the Freeipa-users mailing list