[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Rob Crittenden
rcritten at redhat.com
Thu Jan 14 18:51:04 UTC 2016
Peter Pakos wrote:
> On 04/01/2016 12:44, Jan Cholasta wrote:
>> 1. Install the CA certificate chain of the issuer of the 3rd party
>> certificate to IPA using "ipa-cacert-manage install"
>
> I have a wildcard SSL certificate from Gandi, the whole certificate
> chain looks like this:
>
> AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem ->
> star.ipa.wandisco.com.crt
>
> I can validate this chain by running:
>
> $ openssl verify -verbose -CAfile <(cat AddTrust.pem
> USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
> star.ipa.wandisco.com.crt
> star.ipa.wandisco.com.crt: OK
>
> I've installed those CA certificates using the following commands (due
> to a known bug with ipa-cacert-manage, as per Jan's recommendation, I
> had to comment out few lines in
> /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py
> for this to work):
>
> $ ipa-cacert-manage install AddTrust.pem -n AddTrust -t ,,
> $ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
> USERTrustRSAAddTrustCA -t ,,
> $ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
> GandiStandardSSLCA2 -t ,,
>
> Then I created a PKCS12 certificate out of Wildcard certificate and
> private key:
>
> $ openssl pkcs12 -export -out star.ipa.wandisco.com.p12 -inkey
> star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -name
> 'GandiWildcardIPA'
>
> and then installed it in both NSS databases:
>
> $ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
> star.ipa.wandisco.com.p12
> $ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.p12
>
> I could see the certificates being installed by running:
>
> $ certutil -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -L
> $ certutil -d /etc/httpd/alias/ -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ipaCert u,u,u
> Server-Cert u,u,u
> IPA.WANDISCO.COM IPA CA CT,C,C
> AddTrust ,,
> USERTrustRSAAddTrustCA ,,
> GandiWildcardIPA u,u,u
> Signing-Cert u,u,u
> GandiStandardSSLCA2 ,,
>
>> 2. Run "ipa-certupdate" to update CA certificate related IPA
>> configuration.
>
> Done.
>
>> 3. Manually import the server certificate into the
>> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
>> LDAP in the nsSSLPersonalitySSL attribute of
>> cn=RSA,cn=encryption,cn=config and restart DS.
>
> I've stopped IPA (ipactl stop) and edited
> /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to replace:
>
> nsSSLPersonalitySSL: Server-Cert
>
> for:
>
> nsSSLPersonalitySSL: GandiWildcardIPA
>
>> 4. Manually import the server certificate into the /etc/httpd/alias NSS
>> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
>> using the NSSNickname directive and restart httpd.
>
> I've edited /etc/httpd/conf.d/nss.conf and replaced:
>
> NSSNickname Server-Cert
>
> for:
>
> NSSNickname GandiWildcardIPA
>
>
> Next, I've tried to start IPA (ipactl start) but this failed:
>
> ipactl start
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting pki-tomcatd Service
> Failed to start pki-tomcatd Service
> Shutting down
> Aborting ipactl
>
> It seems that pki-tomcatd did not start, so I looked in
> /var/log/pki/pki-tomcat/catalina.log and noticed this (not sure how
> relevant this is): http://fpaste.org/310861/14527938/
>
> /var/log/pki/pki-tomcat/ca/system log shows:
>
> 0.localhost-startStop-1 - [14/Jan/2016:17:47:49 UTC] [8] [3] In Ldap
> (bound) connection pool to host node01.ipa.wandisco.com port 636, Cannot
> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
> creating JSS SSL Socket (-1)
>
> At this stage I can revert LDAP/HTTPS certs' nickname to Server-Cert and
> successfully start IPA.
>
> Using 3rd party certificates for both LDAP and HTTPS is one of the
> requirements of FreeIPA POC I'm working on at the moment and without
> this ironed out we won't be able to take FreeIPA servers into full
> production.
>
> I hope it's just a minor mistake on my behalf and I would appreciate if
> anyone could glance through the above and let me know how I could
> progress this.
>
> Many thanks in advance.
You need to add the new root certs to the pki NSS database.
rob
More information about the Freeipa-users
mailing list