[Freeipa-users] CA-less replica setup and trouble with cert chain

Jan Cholasta jcholast at redhat.com
Wed Jul 29 05:20:30 UTC 2015 

Hi,

Dne 29.7.2015 v 00:56 Mike Oliver napsal(a):
> Hi folks,
>
> We're trying to add a FreeIPA  (4.1; CentOS 7) replica to our
> infrastructure and keep running into an issue that prevents us from
> preparing the replica.
>
> We're using the CA-less setup where FreeIPA is using a wildcard
> certificate provided by RapidSSL. I started trying to create the replica
> using the information provided here :
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
>
>
> But since we're not using a CA, it tells me that I need to specify
> --http-cert-file and --dirsrv-cert-file. I create a p12 file that
> includes the wildcard cert and the rest of the certs in the chain with:
> $ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey
> wildcard.key -name "replica01" -out replica01.mydomain.com.p12
>
> I then check to see if all the necessary certs were added to the p12 file:
> $ pk12util -l replica01.mydomain.com.p12
>
> I see our wildcard certificate, RapidSSL's intermediate certificate, and
> the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.
>
> Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
> $ ipa-replica-prepare replica01.mydomain.com \
>      --http-cert-file=replica01.mydomain.com.p12 \
>      --dirsrv-cert-file=replica01.mydomain.com.p12 \
>      --ca /etc/ipa/ca.crt \
>      -v

Note that you can use the .crt and .key files directly:

     $ ipa-replica-prepare replica01.mydomain.com 
--http-cert-file=wildcard-with-intermediates.crt 
--http-cert-file=wildcard.key 
--dirsrv-cert-file=wildcard-with-intermediates.crt 
--dirsrv-cert-file=wildcard.key

>
> I get the following error after the debug output reports  a series of
> calls to certutil:
> ipa: DEBUG: stderr=
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
> execute
>      self.ask_for_options()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 262, in ask_for_options
>      options.http_cert_name)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 162, in load_pkcs12
>      host_name=self.replica_fqdn)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 799, in load_pkcs12
>      (", ".join(cert_files)))
>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> ipa-replica-prepare command failed, exception: ScriptError: The full
> certificate chain is not present in replica01.mydomain.com.p12
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
> full certificate chain is not present in replicate01.mydomain.com.p12
>
>
> The chain certainly looks to be complete given the output of pk12util,
> but it's possible I'm just building the file wrong for use with FreeIPA.
> What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting
> and how should I go about generating the certificate used by
> 'ipa-replica-prepare' with a CA-less configuration?

If the chain is complete, there should be a self-signed CA certificate 
at the top. For you that would be the Equifax/GeoTrust certificate. If 
it's not self-signed, it means the chain is in fact not complete.

>
> Thanks all,
>

Honza

-- 
Jan Cholasta

More information about the Freeipa-users mailing list