[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Rob Crittenden
rcritten at redhat.com
Tue Aug 16 16:04:25 UTC 2016
Zarko Dudic wrote:
>
> Hi all,
>
> I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
> External CA as the Root CA. Here are details.
>
> 1) Run "ipa-server-install --external-ca", and send .csr to be signed by
> External CA, but VeriSign rejects signing this since info like
> Organization, OU, L, ST, C are missing.
I seriously doubt Verisign will issue this certificate regardless of
format. Don't confuse a CA signing certificate with a server certificate.
But who knows. Try the --subject-base option to ipa-server-install but
note that the CN is currently unconfigurable, it will always be
cn=Certificate Authority.
> 2) Okay, so I try this workaround, create cert request manually with
> command:
>
> # certutil -R -d /tmp -a -g 2048 -s
> 'CN=<fqdn>,OU=<some-ou>,O=<company>,L=<town>,ST=California,C=US'
This will never work. Besides the fact that you didn't request a
certificate with the right CA extensions, the private key that generated
the CSR is now in a place that dogtag will never find it. This is
unrelated to the error below but it would blow up eventually.
> 3) I verify request via
> https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
> (looks good)
>
> 4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
> via email.
>
> 5) I also download two additional certs for trust chain, one is
> VeriSign's public primary root CA and the second one is Company's
> itermediate CA, both (.pem files)
>
> 6) Now the problem begins, run the comamnd:
>
> # ipa-server-install --external-cert-file=/tmp/freeipa.cer
> --external-cert-file=/tmp/Company_CA_G2.pem
> --external-cert-file=/tmp/VeriSign_Root_CA.pem -vv
If memory serves IPA knows what the subject of it's CA should look like
(remember subject-base?) and it isn't finding it and blowing up.
rob
>
>
> One of screen messages are:
>
> ipa : DEBUG stderr=
> ipa : DEBUG Starting external process
> ipa : DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmplsusxY'
> '-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority -
> G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign
> Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'
> ipa : DEBUG Process finished, return code=0
> ipa : DEBUG stdout=
> ipa : DEBUG stderr=
> ipa.ipapython.install.cli.install_tool(Server): DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 311, in run
> cfgr.run()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 279, in run
> self.validate()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 288, in validate
> for nothing in self._validator():
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
> self._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
> util.raise_exc_info(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
> step()
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
> raise_exc_info(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 517, in _configure
> validator.next()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
> self._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
> util.raise_exc_info(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 418, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
> util.raise_exc_info(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
> step()
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
> raise_exc_info(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
> for nothing in self._installer(self.parent):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 1612, in main
> install_check(self)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 263, in decorated
> func(installer)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 601, in install_check
> ca.install_check(False, None, options)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
> 69, in install_check
> options.external_cert_files, options.subject)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 1016, in load_external_cert
> "IPA CA certificate not found in %s" % (", ".join(files)))
>
> ipa.ipapython.install.cli.install_tool(Server): DEBUG The
> ipa-server-install command failed, exception: ScriptError: IPA CA
> certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
> /tmp/VeriSign_Root_CA.pem
> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA
> certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
> /tmp/VeriSign_Root_CA.pem
>
>
> Please let me know if any more info is needed, appreciate any help.
>
More information about the Freeipa-users
mailing list