[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Peter Pakos
peter at pakos.pl
Thu Jan 14 18:09:40 UTC 2016
On 04/01/2016 12:44, Jan Cholasta wrote:
> 1. Install the CA certificate chain of the issuer of the 3rd party
> certificate to IPA using "ipa-cacert-manage install"
I have a wildcard SSL certificate from Gandi, the whole certificate
chain looks like this:
AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem ->
star.ipa.wandisco.com.crt
I can validate this chain by running:
$ openssl verify -verbose -CAfile <(cat AddTrust.pem
USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK
I've installed those CA certificates using the following commands (due
to a known bug with ipa-cacert-manage, as per Jan's recommendation, I
had to comment out few lines in
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py
for this to work):
$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t ,,
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
USERTrustRSAAddTrustCA -t ,,
$ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
GandiStandardSSLCA2 -t ,,
Then I created a PKCS12 certificate out of Wildcard certificate and
private key:
$ openssl pkcs12 -export -out star.ipa.wandisco.com.p12 -inkey
star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -name
'GandiWildcardIPA'
and then installed it in both NSS databases:
$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
star.ipa.wandisco.com.p12
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.p12
I could see the certificates being installed by running:
$ certutil -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -L
$ certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ipaCert u,u,u
Server-Cert u,u,u
IPA.WANDISCO.COM IPA CA CT,C,C
AddTrust ,,
USERTrustRSAAddTrustCA ,,
GandiWildcardIPA u,u,u
Signing-Cert u,u,u
GandiStandardSSLCA2 ,,
> 2. Run "ipa-certupdate" to update CA certificate related IPA configuration.
Done.
> 3. Manually import the server certificate into the
> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
> LDAP in the nsSSLPersonalitySSL attribute of
> cn=RSA,cn=encryption,cn=config and restart DS.
I've stopped IPA (ipactl stop) and edited
/etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to replace:
nsSSLPersonalitySSL: Server-Cert
for:
nsSSLPersonalitySSL: GandiWildcardIPA
> 4. Manually import the server certificate into the /etc/httpd/alias NSS
> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
> using the NSSNickname directive and restart httpd.
I've edited /etc/httpd/conf.d/nss.conf and replaced:
NSSNickname Server-Cert
for:
NSSNickname GandiWildcardIPA
Next, I've tried to start IPA (ipactl start) but this failed:
ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
It seems that pki-tomcatd did not start, so I looked in
/var/log/pki/pki-tomcat/catalina.log and noticed this (not sure how
relevant this is): http://fpaste.org/310861/14527938/
/var/log/pki/pki-tomcat/ca/system log shows:
0.localhost-startStop-1 - [14/Jan/2016:17:47:49 UTC] [8] [3] In Ldap
(bound) connection pool to host node01.ipa.wandisco.com port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)
At this stage I can revert LDAP/HTTPS certs' nickname to Server-Cert and
successfully start IPA.
Using 3rd party certificates for both LDAP and HTTPS is one of the
requirements of FreeIPA POC I'm working on at the moment and without
this ironed out we won't be able to take FreeIPA servers into full
production.
I hope it's just a minor mistake on my behalf and I would appreciate if
anyone could glance through the above and let me know how I could
progress this.
Many thanks in advance.
spako @ #freeipa
--
Kind regards,
Peter Pakos
More information about the Freeipa-users
mailing list