[Freeipa-users] Using 3rd party certificates for HTTP/LDAP

Jan Cholasta jcholast at redhat.com
Mon Jan 4 12:44:17 UTC 2016 

Hi Peter,

On 21.12.2015 17:43, Peter Pakos wrote:
> Hi,
>
> I tried to install a wildcard SSL certificate for HTTP/LDAP in our
> FreeIPA 4.1 (Centos 7.1) installation by following instructions from
> wiki page at
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP:

Unfortunately ipa-server-certinstall is currently broken. We plan to fix 
it some day, see <https://fedorahosted.org/freeipa/ticket/4785> and 
<https://fedorahosted.org/freeipa/ticket/4786>.

>
> # ipa-server-certinstall -w -d shdc01.ipa.wandisco.com.pem
> Directory Manager password:
> Enter private key unlock password:
> Command /usr/bin/certutil' '-d' '/etc/httpd/alias' '-D' '-n'
> 'Server-Cert returned non-zero exit status 255
>
> After this I was unable to start httpd service, error_log revealed the
> following error messages:
>
> [Wed Nov 25 18:15:44.262751 2015] [:error] [pid 22124] Certificate not
> found: 'Server-Cert'
>
> In order to resurrect the service I had to change NSSNickname in
> /etc/httpd/conf.d/nss.conf to match the new certificate's nickname.
>
> Although the httpd service started, I couldn't get into Authentication
> tab in FreeIPA UI - I kept getting the following error message: "Unable
> to communicate with CMS (Service Unavailable)".
>
> [root at shdc01 ~]# yum list installed | grep ipa-server
> ipa-server.x86_64 4.1.0-18.el7.centos.4 @updates
>
> [root at shdc01 ~]# cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
>
> At this point I was forced to restore our FreeIPA installation from a
> snapshot as I wasn't able to fix it (I got some useful hints from
> #freeipa Freenode channel however we still didn't manage to fully
> resurrect the server).
>
> My question is, what is the correct way of installing a 3rd party
> certificate for HTTP/LDAP that will actually work?

1. Install the CA certificate chain of the issuer of the 3rd party 
certificate to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA configuration.

3. Manually import the server certificate into the 
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in 
LDAP in the nsSSLPersonalitySSL attribute of 
cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS 
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf 
using the NSSNickname directive and restart httpd.

>
> Many thanks in advance.
>
> BTW, I also added a comment describing this problem to the ticket at
> https://fedorahosted.org/freeipa/ticket/5496.

Honza

-- 
Jan Cholasta

More information about the Freeipa-users mailing list