[Freeipa-users] Using 3rd party certificates for HTTP/LDAP

Rob Crittenden rcritten at redhat.com
Thu Jan 14 18:51:04 UTC 2016 

Peter Pakos wrote:
> On 04/01/2016 12:44, Jan Cholasta wrote:
>> 1. Install the CA certificate chain of the issuer of the 3rd party
>> certificate to IPA using "ipa-cacert-manage install"
> 
> I have a wildcard SSL certificate from Gandi, the whole certificate
> chain looks like this:
> 
> AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem ->
> star.ipa.wandisco.com.crt
> 
> I can validate this chain by running:
> 
> $ openssl verify -verbose -CAfile <(cat AddTrust.pem
> USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
> star.ipa.wandisco.com.crt
> star.ipa.wandisco.com.crt: OK
> 
> I've installed those CA certificates using the following commands (due
> to a known bug with ipa-cacert-manage, as per Jan's recommendation, I
> had to comment out few lines in
> /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py
> for this to work):
> 
> $ ipa-cacert-manage install AddTrust.pem -n AddTrust -t ,,
> $ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
> USERTrustRSAAddTrustCA -t ,,
> $ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
> GandiStandardSSLCA2 -t ,,
> 
> Then I created a PKCS12 certificate out of Wildcard certificate and
> private key:
> 
> $ openssl pkcs12 -export -out star.ipa.wandisco.com.p12 -inkey
> star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -name
> 'GandiWildcardIPA'
> 
> and then installed it in both NSS databases:
> 
> $ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
> star.ipa.wandisco.com.p12
> $ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.p12
> 
> I could see the certificates being installed by running:
> 
> $ certutil -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -L
> $ certutil -d /etc/httpd/alias/ -L
> 
> Certificate Nickname                                         Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> IPA.WANDISCO.COM IPA CA                                      CT,C,C
> AddTrust                                                     ,,
> USERTrustRSAAddTrustCA                                       ,,
> GandiWildcardIPA                                             u,u,u
> Signing-Cert                                                 u,u,u
> GandiStandardSSLCA2                                          ,,
> 
>> 2. Run "ipa-certupdate" to update CA certificate related IPA
>> configuration.
> 
> Done.
> 
>> 3. Manually import the server certificate into the
>> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
>> LDAP in the nsSSLPersonalitySSL attribute of
>> cn=RSA,cn=encryption,cn=config and restart DS.
> 
> I've stopped IPA (ipactl stop) and edited
> /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to replace:
> 
> nsSSLPersonalitySSL: Server-Cert
> 
> for:
> 
> nsSSLPersonalitySSL: GandiWildcardIPA
> 
>> 4. Manually import the server certificate into the /etc/httpd/alias NSS
>> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
>> using the NSSNickname directive and restart httpd.
> 
> I've edited /etc/httpd/conf.d/nss.conf and replaced:
> 
> NSSNickname Server-Cert
> 
> for:
> 
> NSSNickname GandiWildcardIPA
> 
> 
> Next, I've tried to start IPA (ipactl start) but this failed:
> 
> ipactl start
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting pki-tomcatd Service
> Failed to start pki-tomcatd Service
> Shutting down
> Aborting ipactl
> 
> It seems that pki-tomcatd did not start, so I looked in
> /var/log/pki/pki-tomcat/catalina.log and noticed this (not sure how
> relevant this is): http://fpaste.org/310861/14527938/
> 
> /var/log/pki/pki-tomcat/ca/system log shows:
> 
> 0.localhost-startStop-1 - [14/Jan/2016:17:47:49 UTC] [8] [3] In Ldap
> (bound) connection pool to host node01.ipa.wandisco.com port 636, Cannot
> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
> creating JSS SSL Socket (-1)
> 
> At this stage I can revert LDAP/HTTPS certs' nickname to Server-Cert and
> successfully start IPA.
> 
> Using 3rd party certificates for both LDAP and HTTPS is one of the
> requirements of FreeIPA POC I'm working on at the moment and without
> this ironed out we won't be able to take FreeIPA servers into full
> production.
> 
> I hope it's just a minor mistake on my behalf and I would appreciate if
> anyone could glance through the above and let me know how I could
> progress this.
> 
> Many thanks in advance.

You need to add the new root certs to the pki NSS database.

rob

More information about the Freeipa-users mailing list