[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Jan Cholasta
jcholast at redhat.com
Mon Jan 4 12:44:17 UTC 2016
Hi Peter,
On 21.12.2015 17:43, Peter Pakos wrote:
> Hi,
>
> I tried to install a wildcard SSL certificate for HTTP/LDAP in our
> FreeIPA 4.1 (Centos 7.1) installation by following instructions from
> wiki page at
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP:
Unfortunately ipa-server-certinstall is currently broken. We plan to fix
it some day, see <https://fedorahosted.org/freeipa/ticket/4785> and
<https://fedorahosted.org/freeipa/ticket/4786>.
>
> # ipa-server-certinstall -w -d shdc01.ipa.wandisco.com.pem
> Directory Manager password:
> Enter private key unlock password:
> Command /usr/bin/certutil' '-d' '/etc/httpd/alias' '-D' '-n'
> 'Server-Cert returned non-zero exit status 255
>
> After this I was unable to start httpd service, error_log revealed the
> following error messages:
>
> [Wed Nov 25 18:15:44.262751 2015] [:error] [pid 22124] Certificate not
> found: 'Server-Cert'
>
> In order to resurrect the service I had to change NSSNickname in
> /etc/httpd/conf.d/nss.conf to match the new certificate's nickname.
>
> Although the httpd service started, I couldn't get into Authentication
> tab in FreeIPA UI - I kept getting the following error message: "Unable
> to communicate with CMS (Service Unavailable)".
>
> [root at shdc01 ~]# yum list installed | grep ipa-server
> ipa-server.x86_64 4.1.0-18.el7.centos.4 @updates
>
> [root at shdc01 ~]# cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
>
> At this point I was forced to restore our FreeIPA installation from a
> snapshot as I wasn't able to fix it (I got some useful hints from
> #freeipa Freenode channel however we still didn't manage to fully
> resurrect the server).
>
> My question is, what is the correct way of installing a 3rd party
> certificate for HTTP/LDAP that will actually work?
1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"
2. Run "ipa-certupdate" to update CA certificate related IPA configuration.
3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.
4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.
>
> Many thanks in advance.
>
> BTW, I also added a comment describing this problem to the ticket at
> https://fedorahosted.org/freeipa/ticket/5496.
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list