[Freeipa-users] ipa-certupdate not installing root certificates in /etc/pki/pki-tomcat/alias/
Peter Pakos
peter at pakos.pl
Mon Jan 18 00:32:19 UTC 2016
Hi,
I have FreeIPA 4.2 (CA-ful) install on Centos 7.2 with 3rd party SSL
certificates installed for HTTP/LDAP.
When I run "ipa-certupdate" I can see that the 3rd party root
certificates are being removed from databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-added (apart from
/etc/pki/pki-tomcat/alias).
Without the 3rd party root certificates in /etc/pki/pki-tomcat/alias,
the service pki-tomcatd is unable to start up.
This is the complete process I'm following to install 3rd party
certificate (please let me know if I'm doing anything wrong):
### 3rd party SSL certificate install ##################################
# Gandi *.ipa.wandisco.com certificate chain
# AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem
-> star.ipa.wandisco.com.crt
$ openssl verify -verbose -CAfile <(cat AddTrust.pem
USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK
# Bug in ipa-cacert-manage, comment out lines 349-352
$ vim
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py
$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t C,C,C
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
USERTrustRSAAddTrustCA -t C,C,C
$ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
GandiStandardSSLCA2 -t C,C,C
# Add root certificates to databases <- THIS IS WHERE THE ABOVE ROOT
CERTIFICATES SHOULD BE INSTALLED IN /etc/pki/pki-tomcat/alias BUT THEY
AREN'T
$ ipa-certupdate
# Create PKCS12 certificate file including private key and full chain
$ openssl pkcs12 -export -out star.ipa.wandisco.com.pfx -inkey
star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -certfile <(cat
AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) -name
'GandiWildcardIPA'
# Install PKCS12 certificate to LDAP and HTTP databases:
$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
star.ipa.wandisco.com.pfx
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.pfx
# Stop IPA
$ ipactl stop
# Edit /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to point dirsrv to
new certificate
# Replace:
nsSSLPersonalitySSL: Server-Cert
# with:
nsSSLPersonalitySSL: GandiWildcardIPA
# Edit /etc/httpd/conf.d/nss.conf to point httpd to new certificate
# Replace:
NSSNickname Server-Cert
# with:
NSSNickname GandiWildcardIPA
# Start IPA
$ ipactl start
#####################################################################
In order to fix this, I have to manually add root certificates to the
database:
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n AddTrust -t C,C,C -a <
AddTrust.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n USERTrustRSAAddTrustCA -t
C,C,C -a < USERTrustRSAAddTrustCA.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n GandiStandardSSLCA2 -t
C,C,C -a < GandiStandardSSLCA2.pem
Should this not be done automatically by ipa-certupdate?
Are the above steps correct for installing 3rd party certificates in
FreeIPA 4.2? Should I change anything?
We are planning to move these nodes into production very soon, any help
would be much appreciated!
--
Kind regards,
Peter Pakos
More information about the Freeipa-users
mailing list