[Freeipa-users] Third Party Certificate

Ian Harding ianh at brownpapertickets.com
Wed Aug 3 18:25:15 UTC 2016 


On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote:
> On 08/02/2016 03:17 PM, Ian Harding wrote:
>> Hello!
>>
>> I have been using FreeIPA for a while in our network with 6 replicas and
>> it's been working great.  I seem to have made a wee mistake though and
>> I'd appreciate some help.
>>
>> I did this:
>>
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>> on one server because I had a new cert for our internal domain and I
>> thought it might be nice to use the same cert for all our internal web
>> services.
>>
>> It worked fine but now when I'm on that server I get
>> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands.  Is there any way I
>> can roll this back, or make it work as is?
>>
>> Thanks!
>>
>> -Ian
>>
> Hi Ian,
> 
> if the certificate that you installed was issued by a CA not known by
> IPA (let's call him the issuer), then you need to add this issuer cert
> first using:
> ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
> kinit admin
> ipa-certupdate
> 
> You can check that the issuer cert is properly installed in
> /etc/httpd/alias and /etc/ipa/nssdb with:
> certutil -L -d /etc/httpd/alias
> certutil -L -d /etc/ipa/nssdb
> where it should appear with C,, flags
> 
> Hope this helps,
> Flo.
> 

I seem to have created a problem here.

First some background.

freeipa-sea.bpt.rocks suffered ldap database corruption on a messy
reboot.  I tried to delete it from the freeipa ecosystem but did a poor
job, then rebuilt it with the same name and IP address.

Replication issues ensued.

I chose this inopportune time to install the ssl certificate as
described above.

I have spent today deleting old replication agreements and
reestablishing them which seems to have worked on most of the replicas.

However I see this now on most of them

[root at bpt-nyc1-nfs ianh]# ipa-csreplica-manage list
Directory Manager password:

seattlenfs.bpt.rocks: master
bpt-nyc1-nfs.bpt.rocks: master
freeipa-sea.bpt.rocks: CA not configured
bellevuenfs.bpt.rocks: master
freeipa-dal.bpt.rocks: master
edinburghnfs.bpt.rocks: master
fremontnis.bpt.rocks: master

Is this related to the original deletion or the subsequent addition of
the certificate?   I installed the replicas with their own CA.

I have added the certificate root to the replicas as mentioned above.

Thanks!

More information about the Freeipa-users mailing list