[Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates
Florence Blanc-Renaud
flo at redhat.com
Thu Aug 4 08:03:11 UTC 2016
On 08/03/2016 07:54 PM, Richard Harmonson wrote:
> On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>> wrote:
>
> On 08/02/2016 04:52 AM, Richard Harmonson wrote:
>
> On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik
> <pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>> wrote:
>
> On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> > I having challenges resuming ipa-server-install
> --external-ca. I
> am reasonably
> > confident I am not providing the right certificate and/or
> format
> from my
> > off-line root CA using 389 and Dogtag.
> >
> > Does anyone have instructions on how to accomplish the task of
> exporting the
> > correct certificates in the expected format?
> >
> > Thank you.
> >
>
> The IPA procedure with prerequisites is described at
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
>
> Or are you rather asking for specific PKI instructions?
>
> e.g.
> *
>
> http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request
>
> *
>
> http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
> --
> Petr Vobornik
>
>
> I read the suggested document, previously, but its an excellent
> shared
> reference for this discussion.
>
> I have successfully submitted and approved the csr. Dogtag
> provides a
> web UI which provides a Base 64 encoded certificate or Base 64
> encoded
> certificate with CA certificate chain in pkcs7 format.
>
> For the servercert2010601.pem (the signed CSR request signing CA
> certificate 0x9) referenced in the article, do I copy and paste
> (-----BEGIN .. END-----) the base 64 (not pkcs7) to a file using
> *.pem
> then submit using one of the two --external-cert-file?
>
> For the cacert.pem (the Root CA signing certificate 0x1)
> referenced in
> the article, do I copy and paste the base 64 with ca in pkcs7
> format to
> a file using *.pkcs7 (or pem or does it matter?) then submit
> using the
> second --external-cert-file?
>
> Your guidance is much appreciated.
>
>
> Hi Richard,
>
> I tested the following steps to install FreeIPA with a certificate
> signed by an external Dogtag instance:
>
> 1- IPA installation on host ipaserver with:
> ipaserver$ ipa-server-install [options] --external-ca
>
> This step produces the Certificate Signing Request /root/ipa.csr
> that must be provided to the Dogtag server.
>
> 2- On the Dogtag machine, configure Dogtag client authentication (to
> be able to use the command-line):
>
> dogtagsrv$ pki -c password client-init
>
> This step creates a NSSDB in ~/.dogtag/nssdb where the certificates
> for client->dogtag server authentication will be stored.
>
> dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d
> /root/.dogtag/nssdb/
>
> This step imports the caadmin certificate that was created during
> Dogtag installation into the client NSSDB. The client will be able
> to authenticate as "caadmin" when using Dogtag CLI. Please note the
> certicate nickname that can be found using
>
> dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/
> [...]
> PKI Administrator for <security domain> u,u,u
>
> 3- On the Dogtag machine, submit the CSR and approve:
> dogtagsrv$ pki ca-cert-request-submit --profile caCACert
> --request-type pkcs10 --csr-file /path/to/ipa.csr
>
> This step submits the csr to Dogtag, using the caCACert profile in
> order to produce a Certificate that can be used for a Certificate
> Authority. Note the Request ID in the output as it will be used in
> the next command to approve the CSR and produce the cert:
>
> dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator
> for <security domain>" cert-request-review <id> --action approve
>
> 4- On the Dogtag machine, export the certificate and the dogtag CA cert:
>
> dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator
> for <security domain>" cert-show 7 --encoded --output ipa.cert
> dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert
>
> 5- Resume ipa server installation with
>
> ipaserver$ ipa-server-install --external-cert-file=ipa.cert
> --external-cert-file=dogtagca.cert
>
> With those steps, I was able to install FreeIPA server with a
> 3rd-party signed Certificate Authority. Please let me known if you
> have issues with those instructions,
>
> Flo.
>
>
> Awesome!
>
> Flo, your instructions were perfect! I exported the certs and during the
> ipa-server-install I see the certs being displayed on the screen then
> "Process finished, return code=0, so they are accepted on resuming the
> installation. The install fails with a LDAP error but I believe it to be
> unrelated to the exported certs. May be a result of my earlier thrashing?
>
> I will recover from a snapshot and begin again. If problems persist, I
> will send another request for help for it is probably unrelated to the
> certificates.
>
> You got me one step closer. Thank you!
>
> Debug shows:
>
> # pa-server-install --external-cert-file=ipa.cert
> --external-cert-file=dogtagca.cert
> ..
> ipa : DEBUG Starting external process
> ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpDVXaWo
> ipa : DEBUG Process finished, *return code=1*
> ipa : DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160803103307.log
> Loading deployment configuration from /tmp/tmpDVXaWo.
> *ERROR: Unable to access directory server: Can't contact LDAP server*
>
> ipa : DEBUG stderr=
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
> /tmp/tmpDVXaWo' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
> ipa : DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 447, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 437, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 579, in __spawn_instance
> DogtagInstance.spawn_instance(self, cfg_file)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 181, in spawn_instance
> self.handle_setup_error(e)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 421, in handle_setup_error
> raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
> ..
>
>
Hi Richard,
not sure if this is related, but there is a bug with recent revisions of
Dogtag which results in failure of CA installation. See IPA ticket 6155
[1] and Dogtag ticket 2403 [2]. A workaround is to downgrade the
packages resteasy-xx because version 3.0.17 from updates-testing
prevents the installation (but 3.0.6.11 is OK):
# dnf downgrade resteasy-atom-provider resteasy-client resteasy-core
resteasy-jackson-provider resteasy-jaxb-provider --allowerasing
[1] https://fedorahosted.org/freeipa/ticket/6155
[2] https://fedorahosted.org/pki/ticket/2403
Flo.
More information about the Freeipa-users
mailing list