[Freeipa-users] Cannot install 3rd party certificate

Florence Blanc-Renaud flo at redhat.com
Tue Feb 14 16:24:17 UTC 2017 

On 02/14/2017 02:54 PM, Matt . wrote:
> Certs are valid, I will check what you mentioned.
>
> I'm also no fan of bundles, more the seperate files but this doesn't
> seem to work always. At least for the CAroot a bundle was required.
>
Hi Matt,

if your certificate was provided by an intermediate CA, you need to add 
each CA before running ipa-server-certinstall (start from the top-level 
CA with ipa-cacert-manage install, then run ipa-certupdate, then the 
intermediate CA with ipa-cacert-manage install, then ipa-certupdate etc...)

There is also a known issue with ipa-certupdate and SELinux in enforcing 
mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

Flo.

> Matt
>
> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] <dsullivan2 at bsd.uchicago.edu>:
>> Have you validated the cert (and dumped the contents) from the command line using the openssl tools?  I’ve seen the message you are seeing before, for some reason I seem to remember that it has to do with either a missing or an extra - at either the -----BEGIN CERTIFICATE---- or -----END CERTIFICATE---- (an error from copy and pasting and not copying the actual file).
>>
>> I’ve never used certupdate so if what is described above doesn’t help somebody else will have to chime in.
>>
>> Dan
>>
>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>
>>> Hi Dan,
>>>
>>> Ues i have tried that and I get the message that it misses the full
>>> chain for the certificate.
>>>
>>> My issue is more, why is the Server-Cert being removed on a certupdate ?
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] <dsullivan2 at bsd.uchicago.edu>:
>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert only (disclaimer: I’ve never done this).
>>>>
>>>> Dan
>>>>
>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>
>>>>> Hi Guys,
>>>>>
>>>>> I'm trying to install a 3rd party certificate using:
>>>>>
>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>
>>>>> When I run the install command for the certificate itself:
>>>>>
>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
>>>>> Directory Manager password:
>>>>>
>>>>> Enter private key unlock password:
>>>>>
>>>>> list index out of range
>>>>> The ipa-server-certinstall command failed.
>>>>>
>>>>>
>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>
>>>>> What can I do to solve this ?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Matt
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>
>>
>

More information about the Freeipa-users mailing list