[Freeipa-users] Third Party Certificate
Ian Harding
ianh at brownpapertickets.com
Wed Aug 3 18:25:15 UTC 2016
On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote:
> On 08/02/2016 03:17 PM, Ian Harding wrote:
>> Hello!
>>
>> I have been using FreeIPA for a while in our network with 6 replicas and
>> it's been working great. I seem to have made a wee mistake though and
>> I'd appreciate some help.
>>
>> I did this:
>>
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>> on one server because I had a new cert for our internal domain and I
>> thought it might be nice to use the same cert for all our internal web
>> services.
>>
>> It worked fine but now when I'm on that server I get
>> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I
>> can roll this back, or make it work as is?
>>
>> Thanks!
>>
>> -Ian
>>
> Hi Ian,
>
> if the certificate that you installed was issued by a CA not known by
> IPA (let's call him the issuer), then you need to add this issuer cert
> first using:
> ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
> kinit admin
> ipa-certupdate
>
> You can check that the issuer cert is properly installed in
> /etc/httpd/alias and /etc/ipa/nssdb with:
> certutil -L -d /etc/httpd/alias
> certutil -L -d /etc/ipa/nssdb
> where it should appear with C,, flags
>
> Hope this helps,
> Flo.
>
I seem to have created a problem here.
First some background.
freeipa-sea.bpt.rocks suffered ldap database corruption on a messy
reboot. I tried to delete it from the freeipa ecosystem but did a poor
job, then rebuilt it with the same name and IP address.
Replication issues ensued.
I chose this inopportune time to install the ssl certificate as
described above.
I have spent today deleting old replication agreements and
reestablishing them which seems to have worked on most of the replicas.
However I see this now on most of them
[root at bpt-nyc1-nfs ianh]# ipa-csreplica-manage list
Directory Manager password:
seattlenfs.bpt.rocks: master
bpt-nyc1-nfs.bpt.rocks: master
freeipa-sea.bpt.rocks: CA not configured
bellevuenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
edinburghnfs.bpt.rocks: master
fremontnis.bpt.rocks: master
Is this related to the original deletion or the subsequent addition of
the certificate? I installed the replicas with their own CA.
I have added the certificate root to the replicas as mentioned above.
Thanks!
More information about the Freeipa-users
mailing list