[Freeipa-users] ipa-certupdate not installing root certificates in /etc/pki/pki-tomcat/alias/

Jan Cholasta jcholast at redhat.com
Mon Jan 18 08:37:36 UTC 2016 

Hi Peter,

On 18.1.2016 01:32, Peter Pakos wrote:
> Hi,
>
> I have FreeIPA 4.2 (CA-ful) install on Centos 7.2 with 3rd party SSL
> certificates installed for HTTP/LDAP.
>
> When I run "ipa-certupdate" I can see that the 3rd party root
> certificates are being removed from databases (/etc/httpd/alias,
> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-added (apart from
> /etc/pki/pki-tomcat/alias).
>
> Without the 3rd party root certificates in /etc/pki/pki-tomcat/alias,
> the service pki-tomcatd is unable to start up.
>
> This is the complete process I'm following to install 3rd party
> certificate (please let me know if I'm doing anything wrong):
>
> ### 3rd party SSL certificate install ##################################
>
> # Gandi *.ipa.wandisco.com certificate chain
> # AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem
> -> star.ipa.wandisco.com.crt
>
> $ openssl verify -verbose -CAfile <(cat AddTrust.pem
> USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
> star.ipa.wandisco.com.crt
> star.ipa.wandisco.com.crt: OK
>
> # Bug in ipa-cacert-manage, comment out lines 349-352
> $ vim
> /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py
>
> $ ipa-cacert-manage install AddTrust.pem -n AddTrust -t C,C,C
> $ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
> USERTrustRSAAddTrustCA -t C,C,C
> $ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
> GandiStandardSSLCA2 -t C,C,C
>
> # Add root certificates to databases <- THIS IS WHERE THE ABOVE ROOT
> CERTIFICATES SHOULD BE INSTALLED IN /etc/pki/pki-tomcat/alias BUT THEY
> AREN'T
> $ ipa-certupdate
>
> # Create PKCS12 certificate file including private key and full chain
> $ openssl pkcs12 -export -out star.ipa.wandisco.com.pfx -inkey
> star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -certfile <(cat
> AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) -name
> 'GandiWildcardIPA'
>
> # Install PKCS12 certificate to LDAP and HTTP databases:
> $ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
> star.ipa.wandisco.com.pfx
> $ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.pfx
>
> # Stop IPA
> $ ipactl stop
>
> # Edit /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to point dirsrv to
> new certificate
> # Replace:
> nsSSLPersonalitySSL: Server-Cert
> # with:
> nsSSLPersonalitySSL: GandiWildcardIPA
>
> # Edit /etc/httpd/conf.d/nss.conf to point httpd to new certificate
> # Replace:
> NSSNickname Server-Cert
> # with:
> NSSNickname GandiWildcardIPA
>
> # Start IPA
> $ ipactl start
>
> #####################################################################
>
> In order to fix this, I have to manually add root certificates to the
> database:
>
> $ certutil -A -d /etc/pki/pki-tomcat/alias/ -n AddTrust -t C,C,C -a <
> AddTrust.pem
> $ certutil -A -d /etc/pki/pki-tomcat/alias/ -n USERTrustRSAAddTrustCA -t
> C,C,C -a < USERTrustRSAAddTrustCA.pem
> $ certutil -A -d /etc/pki/pki-tomcat/alias/ -n GandiStandardSSLCA2 -t
> C,C,C -a < GandiStandardSSLCA2.pem
>
> Should this not be done automatically by ipa-certupdate?

It should: <https://fedorahosted.org/freeipa/ticket/5600>.

>
> Are the above steps correct for installing 3rd party certificates in
> FreeIPA 4.2? Should I change anything?

Looks OK to me.

>
> We are planning to move these nodes into production very soon, any help
> would be much appreciated!

Honza

-- 
Jan Cholasta

More information about the Freeipa-users mailing list