[Freeipa-users] CA-less replica setup and trouble with cert chain
Jan Cholasta
jcholast at redhat.com
Wed Jul 29 05:20:30 UTC 2015
Hi,
Dne 29.7.2015 v 00:56 Mike Oliver napsal(a):
> Hi folks,
>
> We're trying to add a FreeIPA (4.1; CentOS 7) replica to our
> infrastructure and keep running into an issue that prevents us from
> preparing the replica.
>
> We're using the CA-less setup where FreeIPA is using a wildcard
> certificate provided by RapidSSL. I started trying to create the replica
> using the information provided here :
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
>
>
> But since we're not using a CA, it tells me that I need to specify
> --http-cert-file and --dirsrv-cert-file. I create a p12 file that
> includes the wildcard cert and the rest of the certs in the chain with:
> $ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey
> wildcard.key -name "replica01" -out replica01.mydomain.com.p12
>
> I then check to see if all the necessary certs were added to the p12 file:
> $ pk12util -l replica01.mydomain.com.p12
>
> I see our wildcard certificate, RapidSSL's intermediate certificate, and
> the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.
>
> Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
> $ ipa-replica-prepare replica01.mydomain.com \
> --http-cert-file=replica01.mydomain.com.p12 \
> --dirsrv-cert-file=replica01.mydomain.com.p12 \
> --ca /etc/ipa/ca.crt \
> -v
Note that you can use the .crt and .key files directly:
$ ipa-replica-prepare replica01.mydomain.com
--http-cert-file=wildcard-with-intermediates.crt
--http-cert-file=wildcard.key
--dirsrv-cert-file=wildcard-with-intermediates.crt
--dirsrv-cert-file=wildcard.key
>
> I get the following error after the debug output reports a series of
> calls to certutil:
> ipa: DEBUG: stderr=
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
> execute
> self.ask_for_options()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 262, in ask_for_options
> options.http_cert_name)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 162, in load_pkcs12
> host_name=self.replica_fqdn)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 799, in load_pkcs12
> (", ".join(cert_files)))
>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> ipa-replica-prepare command failed, exception: ScriptError: The full
> certificate chain is not present in replica01.mydomain.com.p12
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
> full certificate chain is not present in replicate01.mydomain.com.p12
>
>
> The chain certainly looks to be complete given the output of pk12util,
> but it's possible I'm just building the file wrong for use with FreeIPA.
> What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting
> and how should I go about generating the certificate used by
> 'ipa-replica-prepare' with a CA-less configuration?
If the chain is complete, there should be a self-signed CA certificate
at the top. For you that would be the Equifax/GeoTrust certificate. If
it's not self-signed, it means the chain is in fact not complete.
>
> Thanks all,
>
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list