[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

Florence Blanc-Renaud flo at redhat.com
Fri Apr 28 07:16:54 UTC 2017 

On 04/28/2017 03:50 AM, Dewangga Bachrul Alam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello!
>
> On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
>> On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
>>
>> Master IPA Server: - I install 1 (one) server as master
>> (self-signed) and add/modify using external CA. - I am using
>> ipa-cacert-manage install then ipa-certupdate on master
>>
>>> Hi,
>>
>>> I think I got you wrong... Do you mean that you installed IPA
>>> with an integrated IdM CA which was self-signed, then your intent
>>> was to move to integrated IdM CA externally signed? In this case,
>>> the right command would be ipa-cacert-manage renew --external-ca,
>>> and the procedure is described in "Changing the certificate
>>> chain" [1].
>
> Ah thanks for your corrections and information, then what should I do?
> Should I run ipa-cacert-manage renew --external-ca ?
>
Yes, this is the way to go, documented here [1]. This is a 2-step 
process: when the command is run, it will create a CSR that needs to be 
signed by an external CA. Then the command must be re-launched with the 
new certificate delivered by the CA.

Also do not forget to run ipa-certupdate on the master and all the 
replicas/clients.

Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext

>>
>>> The command ipa-cacert-manage install does not replace the
>>> integrated IdM CA but adds the certificate as a known CA.
>>
>>> Hope this clarifies, Flo
>>
>>> [1]
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
> x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
> rt-chaining.html
>>
>>>
>>
>> Replica IPA Server: - I install 1 (one) server as client and
>> promoted to ipa-replica: - I run `ipa-client-install` and
>> autodiscovery - Then `ipa-replica-install --principal admin
>> --admin-password <password>`
>>
>> I've hit ipa-certupdate -v to verbose the logs (attached at first
>> email). Then replica server aren't using external CA(s) like master
>> did.
>>
>> So, I did the same like master, using `ipa-cacert-manage` on
>> replica, and it's work fine. If it's normal, then thanks for
>> clarifying this.
>>
>> On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
>>>>> Hi,
>>>>>
>>>>> As your email refers to self-signed and signed CA
>>>>> certificate, can you please clarify the exact steps that you
>>>>> followed? It looks like - you first installed FreeIPA with a
>>>>> self-signed CA - you added an external CA (did you use
>>>>> ipa-cacert-manage install on 1 server then ipa-certupdate on
>>>>> all replicas?) - you replaced the httpd/LDAP certificates
>>>>> with a cert signed from the external CA (you probably ran
>>>>> ipa-server-certinstall on one server).
>>>>>
>>>>> In this case it is normal that the httpd/LDAP certificates on
>>>>> the replica were not updated as they are different (each IPA
>>>>> server has his own httpd/LDAP cert which contains the
>>>>> hostname in its subject). You can check this by performing on
>>>>> each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
>>>>> -n Server-Cert | grep Subject: Subject:
>>>>> "CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^
>>>>>
>>>>> If the goal is to replace the httpd/LDAP certificates on the
>>>>> replica, the command ipa-server-certinstall must also be run
>>>>> on the replica with the appropriate certificate.
>>>>>
>>>>> HTH, Flo.
>>>>>
>>>>> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
>>>>>
>>>>> Just update, manually add external CA(s) and signed
>>>>> certificated was successful, but why it's didn't
>>>>> automatically transferred to replica(s) from master.
>>>>>
>>>>> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>>>>>>> Hello!
>>>>>>>>
>>>>>>>> I've successfully create replica, everything works fine
>>>>>>>> but why my signed CA certificate didn't automatically
>>>>>>>> transfer to another replica(s)? Is it normal?
>>>>>>>>
>>>>>>>> Trying to add manually, but the certificate in
>>>>>>>> replica(s) still using self-signed. Here's the output
>>>>>>>> from `ipa-certupdate -v`
>>>>>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
> NdI
>>
>>>>>>>>
> GYh
>>>>>
>>>>>>>>
>> yR
>>>>>>>>
>>>>>>>>
>>>>> LivL9gydE=
>>>>>>>>
>>>>>>>> Interesting line was :
>>>>>>>>
>>>>>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external
>>>>>>>> process ipa: DEBUG: args=/usr/bin/certutil -d
>>>>>>>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
>>>>>>>> finished, return code=255 ipa: DEBUG: stdout= ipa:
>>>>>>>> DEBUG: stderr=certutil: Could not find cert: IPA CA :
>>>>>>>> PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>>>
>>>>>>>> ipa: DEBUG: Starting external process ipa: DEBUG:
>>>>>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
>>>>>>>> CA cert -a ipa: DEBUG: Process finished, return
>>>>>>>> code=255 ipa: DEBUG: stdout= ipa: DEBUG:
>>>>>>>> stderr=certutil: Could not find cert: External CA cert
>>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>>>
>>>>>>>> FYI: The replica server previously was a client and
>>>>>>>> promoted to be a replica by hitting this command:
>>>>>>>> `ipa-replica-install --principal admin
>>>>>>>> --admin-password admin_password`
>>>>>>>>
>>>>>>>> Any hints?
>>>>>>>>
>>>>>>
>>>>>
>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
> f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
> 1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
> b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v
> oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8
> udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg
> zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F
> g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu
> kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt
> xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+
> PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS
> MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw==
> =plyF
> -----END PGP SIGNATURE-----
>

More information about the Freeipa-users mailing list