[Freeipa-users] 3rd party Cert install now IPA total broken
Florence Blanc-Renaud
flo at redhat.com
Mon Sep 19 10:02:19 UTC 2016
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
> Hello,
> Freeipa 4.3.1
>
> I have now install a 3rd Party Certificat from Startcom now my IPA is total
> broken?
> I make this
>
> ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
> root.crt
>
> ipa-certupdate
>
> ipa-server-certinstall -w -d ipa_3rd_ca.p12
>
> I create this p12 with key.pem, cert.pem root.crt
>
> I insert also in the cert.pem the intermediate.crt
>
Hi,
there were some issues with ipa-server-certinstall (see tickets #4785,
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS
DBs for Apache and the LDAP server (/etc/httpd/alias,
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with
flags C,, (= the one contained in root.rt)
Then you can also check if the nickname for the server cert is properly
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
nsSSLPersonalitySSL).
If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
provide more information.
Also note that it is important to run ipa-certupdate on all the clients
and replicas in order to install the new certificates in the NSS DBs
*before* you run ipa-server-certinstall.
Hope this helps,
Flo.
> the kerberos don't start anymore ?
> The Error Is
> Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm
> '4GJN.COM'
>
> after insert in nss.conf
> "NSSEnforceValidCerts off"
>
> ipactl restart is starting (?) but
>
> ipactl status tell me
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> with certutil -d /etc/httpd/alias -L I have now this
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> 4GJN_CA_FILE u,u,u
> ipaCert u,u,u
> 4GJN.COM IPA CA CT,C,C
> STARTCOM-ROOT C,,
>
> I can Insert in nss.conf by the
> #NSSNickname "Signing-Cert" original
> or
> NSSNickname 4GJN_CA_FILE but all is now broken ?
>
> I also add this, found in Bugzilla
> certutil -d /var/lib/pki/pki-tomcat/alias -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> STARTCOM-ROOT CT,,
>
> this is created in the
>
> certutil -d /etc/dirsrv/slapd-4GJN.COM -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> 4GJN_CA_FILE u,u,u
> 4GJN.COM IPA CA CT,C,C
> STARTCOM-ROOT C,,
>
> Can any help a little, please ;-)
>
> The bad Problem, I tested this with my master server with DNS / DNSSEC I can't
> new install (DNSSEC Keys)
>
More information about the Freeipa-users
mailing list