[Freeipa-users] IPA with external CA signed certs

Mon Oct 26 16:11:06 UTC 2015

On 10/26/2015 04:05 PM, James Masson wrote:
> 
> 
> On 19/10/15 21:06, Rob Crittenden wrote:
>> James Masson wrote:
>>>
>>> Hi list,
>>>
>>> I successfully have IPA working with CA certs signed by an upstream Dogtag.
>>>
>>> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
>>>
>>> Setup fails, using the same 2 step IPA setup process as used with
>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>
>>> Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
>>
>> I'm guessing you don't include the entire CA certchain of Vault. Dogtag
>> is failing to startup because it can't verify its own cert chain:
>>
>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>> CAPresence:  CA is present
>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>> SystemCertsVerification: system certs verification failure
>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>> SelfTestSubsystem: The CRITICAL self test plugin called
>> selftests.container.instance.SystemCertsVerification running at startup
>> FAILED!
>>
>> rob
>>
> 
> 
> Hi Rob,
> 
> Thanks for the reply.
> 
> I do present the IPA installer with both the CA and the IPA cert - the IPAs
> python-based install code is happy with the cert chain, but the Java based
> dogtag code chokes on it.
> 
> OpenSSL is happy with it too.
> 
> #####
> [root at foo ~]# openssl verify ipa.crt
> ipa.crt: O = LOCAL, CN = Certificate Authority
> error 20 at 0 depth lookup:unable to get local issuer certificate
> 
> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
> ipa.crt: OK
> ###
> 
> Any hints on how to reproduce this with more debug output? I'd like to know
> exactly what Dogtag doesn't like about the certificate.
> 
> thanks
> 
> James M

Let me CC at least Jan Ch. and David, they may be able to help and should also
make sure FreeIPA gets better in validating the certs, as appropriate.