[Freeipa-users] Need to replace cert for ipa servers

Rob Crittenden rcritten at redhat.com
Fri Mar 13 20:44:07 UTC 2015 

Johnny Tan wrote:
> On Fri, Mar 13, 2015 at 2:15 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> 
>     Rob would definitely know more but IPA mostly provides certs for the
>     infra it serves and has a limited use of the certs by itself.
>     So here is where I know it is used:
>     - You can issue certs for hosts and services and installer used to
>     create certs for host automatically though these certs are not used
>     for anything and we decided not to create them automatically any more.
>     - You need to trust IPA in browser so that you can do a forms based
>     authentication if you do not have a kerberos ticket.
>     - To issue certs we use Dogtag and Dogtag understands only cert
>     based authentication so internally the communication between the
>     managment framework and Dogtag uses SSL. This is actually why the
>     host-del fails. The host had a cert issued by IPA CA so as part of
>     the del operation it tries to revoke the cert but since you
>     reconfigured the sustem to use be CA less it can't and fails.
> 
>     The communication between the LDAP servers is Kerberos authenticated.
> 
> 
> I'll wait for Rob to weigh in, but wow, this would actually be huge for
> us and probably a lot of other users. Because if the above is true (and
> complete, I guess), then we could actually just run a CA-less FreeIPA
> setup, and then generate certs specifically and only for the web
> (apache) side, which is easy enough and we do it already for all other
> internal web services. That limits cert-related stuff to just one web
> SSL cert per IPA master.
>  
> 
>     We have a special tool in Freeipa 4.2 to do this. The manual
>     procedure is cumbersome and leads to issues like this.
> 
> 
> Yeah, I saw that, but we are still doing 3.0 on CentOS6.6, which is why
> we had to go down the manual path.

The CA-less install was improved in IPA 3.3. It can sorta work in 3.0
but it will be bumpy. A number of bugs were fixed in
ipa-server-certinstall, the tool used to replace the IPA certs with
user-provided certs. Or you can pass in PKCS#12 files during the install
but the root CA is implicit in that case so you need to be careful in
creating the file.

You still need an SSL cert for LDAP as well. SSL is used to bootstrap
replication when a new master is set up. When that is done the agreement
is converted to using GSSAPI.

The clients (depending on version) will still ask for a host cert on
install but it is generally treated as a non-fatal error if one isn't
obtained.

Otherwise it should work, but as Dmitri points out you are limiting
yourself upgrade-wise. The only migration paths from one version of IPA
to another is replication, in which case you still wouldn't be able to
add a CA, or via the LDAP migration routines which only migrate users
and groups currently.

rob

More information about the Freeipa-users mailing list