[Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

Richard Harmonson richard.harmonson at gmail.com
Wed Aug 3 17:54:42 UTC 2016 

On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:

> On 08/02/2016 04:52 AM, Richard Harmonson wrote:
>
>> On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik <pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com>> wrote:
>>
>>     On 07/31/2016 07:45 AM, Richard Harmonson wrote:
>>     > I having challenges resuming ipa-server-install --external-ca. I
>>     am reasonably
>>     > confident I am not providing the right certificate and/or format
>>     from my
>>     > off-line root CA using 389 and Dogtag.
>>     >
>>     > Does anyone have instructions on how to accomplish the task of
>>     exporting the
>>     > correct certificates in the expected format?
>>     >
>>     > Thank you.
>>     >
>>
>>     The IPA procedure with prerequisites is described at
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
>>
>>     Or are you rather asking for specific PKI instructions?
>>
>>     e.g.
>>     *
>>
>> http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request
>>
>>     *
>>
>> http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
>>     --
>>     Petr Vobornik
>>
>>
>> I read the suggested document, previously, but its an excellent shared
>> reference for this discussion.
>>
>> I have successfully submitted and approved the csr. Dogtag provides a
>> web UI which provides a Base 64 encoded certificate or Base 64 encoded
>> certificate with CA certificate chain in pkcs7 format.
>>
>> For the servercert2010601.pem (the signed CSR request signing CA
>> certificate 0x9) referenced in the article, do I  copy and paste
>> (-----BEGIN .. END-----) the base 64 (not pkcs7) to a file using *.pem
>> then submit using one of the two --external-cert-file?
>>
>> For the cacert.pem (the Root CA signing certificate 0x1) referenced in
>> the article, do I copy and paste the base 64 with ca in pkcs7 format to
>> a file using *.pkcs7 (or pem or does it matter?) then submit using the
>> second --external-cert-file?
>>
>> Your guidance is much appreciated.
>>
>>
>> Hi Richard,
>
> I tested the following steps to install FreeIPA with a certificate signed
> by an external Dogtag instance:
>
> 1- IPA installation on host ipaserver with:
> ipaserver$ ipa-server-install [options] --external-ca
>
> This step produces the Certificate Signing Request /root/ipa.csr that must
> be provided to the Dogtag server.
>
> 2- On the Dogtag machine, configure Dogtag client authentication (to be
> able to use the command-line):
>
> dogtagsrv$ pki -c password client-init
>
> This step creates a NSSDB in ~/.dogtag/nssdb where the certificates for
> client->dogtag server authentication will be stored.
>
> dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d
> /root/.dogtag/nssdb/
>
> This step imports the caadmin certificate that was created during Dogtag
> installation into the client NSSDB. The client will be able to authenticate
> as "caadmin" when using Dogtag CLI. Please note the certicate nickname that
> can be found using
>
> dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/
> [...]
> PKI Administrator for <security domain>         u,u,u
>
> 3- On the Dogtag machine, submit the CSR and approve:
> dogtagsrv$ pki ca-cert-request-submit --profile caCACert --request-type
> pkcs10 --csr-file  /path/to/ipa.csr
>
> This step submits the csr to Dogtag, using the caCACert profile in order
> to produce a Certificate that can be used for a Certificate Authority. Note
> the Request ID in the output as it will be used in the next command to
> approve the CSR and produce the cert:
>
> dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for
> <security domain>"  cert-request-review <id> --action approve
>
> 4- On the Dogtag machine, export the certificate and the dogtag CA cert:
>
> dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for
> <security domain>"  cert-show 7 --encoded --output  ipa.cert
> dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert
>
> 5- Resume ipa server installation with
>
> ipaserver$ ipa-server-install --external-cert-file=ipa.cert
> --external-cert-file=dogtagca.cert
>
> With those steps, I was able to install FreeIPA server with a 3rd-party
> signed Certificate Authority. Please let me known if you have issues with
> those instructions,
>
> Flo.
>

Awesome!

Flo, your instructions were perfect! I exported the certs and during the
ipa-server-install I see the certs being displayed on the screen then
"Process finished, return code=0, so they are accepted on resuming the
installation. The install fails with a LDAP error but I believe it to be
unrelated to the exported certs. May be a result of my earlier thrashing?

I will recover from a snapshot and begin again. If problems persist, I will
send another request for help for it is probably unrelated to the
certificates.

You got me one step closer. Thank you!

Debug shows:

# pa-server-install --external-cert-file=ipa.cert
--external-cert-file=dogtagca.cert
..
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpDVXaWo
ipa         : DEBUG    Process finished, *return code=1*
ipa         : DEBUG    stdout=Log file:
/var/log/pki/pki-ca-spawn.20160803103307.log
Loading deployment configuration from /tmp/tmpDVXaWo.
*ERROR:  Unable to access directory server: Can't contact LDAP server*

ipa         : DEBUG    stderr=
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDVXaWo' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
ipa         : DEBUG    Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 579, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
    self.handle_setup_error(e)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 421, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160803/aa16b6cd/attachment.htm>

More information about the Freeipa-users mailing list