[Freeipa-users] 3rd party Cert install now IPA total broken
Günther J. Niederwimmer
gjn at gjn.priv.at
Tue Sep 20 12:15:19 UTC 2016
Hello.
Thanks for the first help,
Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
> On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > Freeipa 4.3.1
> >
> > I have now install a 3rd Party Certificat from Startcom now my IPA is
> > total
> > broken?
> > ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
> > root.crt
I mean this is the wrong cert I installed :-(.
Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")
> > ipa-certupdate
> >
> > ipa-server-certinstall -w -d ipa_3rd_ca.p12
This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxxxxxx
> > I create this p12 with key.pem, cert.pem root.crt
now i create a new p12 with I hope the correct certs
I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.
This p12 I Installed on the first master with
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W xxxxxxxx
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxxxxxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W xxxxxxxxx
I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
XXXX/dsl.ldif
Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT
afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Why is ipa-ods-exporter Service always STOPPED ??
The next I Test a login on the Web UI from IPA, this is now also working ;-)
the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).
Have I to repeat this all on the second Master ?
and what is the correct way to inform the clients ?
Thanks again for a answer,
> Hi,
>
> there were some issues with ipa-server-certinstall (see tickets #4785,
> #4786 and #6263).
> In order to check your configuration, you must make sure that the NSS
> DBs for Apache and the LDAP server (/etc/httpd/alias,
> /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
> - the server certificate with flags u,u,u (= the one contained in
> ipa_3rd_ca.p12)
> - the certificate of the CA which signed the server certificate, with
> flags C,, (= the one contained in root.rt)
>
> Then you can also check if the nickname for the server cert is properly
> set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
> the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
> nsSSLPersonalitySSL).
>
> If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
> provide more information.
>
> Also note that it is important to run ipa-certupdate on all the clients
> and replicas in order to install the new certificates in the NSS DBs
> *before* you run ipa-server-certinstall.
>
> Hope this helps,
> Flo.
>
> > the kerberos don't start anymore ?
> > The Error Is
> >
> > Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
> > realm>
> > '4GJN.COM'
> >
> > after insert in nss.conf
> > "NSSEnforceValidCerts off"
> >
> > ipactl restart is starting (?) but
> >
> > ipactl status tell me
> > Directory Service: RUNNING
> > krb5kdc Service: RUNNING
> > kadmin Service: RUNNING
> > named Service: RUNNING
> > ipa_memcached Service: RUNNING
> > httpd Service: RUNNING
> > ipa-custodia Service: RUNNING
> > pki-tomcatd Service: RUNNING
> > ipa-otpd Service: RUNNING
> > ipa-ods-exporter Service: STOPPED
> > ods-enforcerd Service: RUNNING
> > ipa-dnskeysyncd Service: RUNNING
> > ipa: INFO: The ipactl command was successful
> >
> > with certutil -d /etc/httpd/alias -L I have now this
> > Certificate Nickname Trust
> > Attributes>
> > SSL,S/MIME,JA
> > R/XPI
> >
> > Signing-Cert u,u,u
> > 4GJN_CA_FILE u,u,u
> > ipaCert u,u,u
> > 4GJN.COM IPA CA CT,C,C
> > STARTCOM-ROOT C,,
> >
> > I can Insert in nss.conf by the
> > #NSSNickname "Signing-Cert" original
> > or
> > NSSNickname 4GJN_CA_FILE but all is now broken ?
> >
> > I also add this, found in Bugzilla
> >
> > certutil -d /var/lib/pki/pki-tomcat/alias -L
> >
> > Certificate Nickname Trust
> > Attributes>
> > SSL,S/MIME,JA
> > R/XPI
> >
> > ocspSigningCert cert-pki-ca u,u,u
> > subsystemCert cert-pki-ca u,u,u
> > caSigningCert cert-pki-ca CTu,Cu,Cu
> > Server-Cert cert-pki-ca u,u,u
> > auditSigningCert cert-pki-ca u,u,Pu
> > STARTCOM-ROOT CT,,
> >
> > this is created in the
> >
> > certutil -d /etc/dirsrv/slapd-4GJN.COM -L
> >
> > Certificate Nickname Trust
> > Attributes>
> > SSL,S/MIME,JA
> > R/XPI
> >
> > 4GJN_CA_FILE u,u,u
> > 4GJN.COM IPA CA CT,C,C
> > STARTCOM-ROOT C,,
> >
> > Can any help a little, please ;-)
> >
> > The bad Problem, I tested this with my master server with DNS / DNSSEC I
> > can't new install (DNSSEC Keys)
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list