[Freeipa-users] 3rd party Cert install now IPA total broken

Günther J. Niederwimmer gjn at gjn.priv.at
Fri Sep 16 13:06:16 UTC 2016 

Hello,
Freeipa 4.3.1

I have now install a 3rd Party Certificat from Startcom now my IPA is total 
broken?
I make this 

ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install 
root.crt

ipa-certupdate

ipa-server-certinstall -w -d ipa_3rd_ca.p12

I create this p12 with key.pem, cert.pem root.crt

I insert also in the cert.pem the intermediate.crt 

the kerberos don't start anymore ?
The Error Is
 Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm 
'4GJN.COM'

after insert in nss.conf
"NSSEnforceValidCerts off"

ipactl restart  is starting (?) but

ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Signing-Cert                                                 u,u,u
4GJN_CA_FILE                                                 u,u,u
ipaCert                                                      u,u,u
4GJN.COM IPA CA                                              CT,C,C
STARTCOM-ROOT                                                C,,  

I can  Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?

I also add this, found in Bugzilla
 certutil -d /var/lib/pki/pki-tomcat/alias -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
STARTCOM-ROOT                                                CT,, 

this is created in the

certutil -d /etc/dirsrv/slapd-4GJN.COM -L 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

4GJN_CA_FILE                                                 u,u,u
4GJN.COM IPA CA                                              CT,C,C
STARTCOM-ROOT                                                C,, 

Can any help a little, please ;-)

The bad Problem, I tested this with my master server with DNS / DNSSEC I can't 
new install (DNSSEC Keys)

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the Freeipa-users mailing list