[Freeipa-users] Cannot install 3rd party certificate
Matt .
yamakasi.014 at gmail.com
Tue Feb 14 16:43:26 UTC 2017
Hi Florance,
Thanks for your update, good to see some good into about it. For
Comodo I have install all these:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
Where COMODORSADomainValidationSecureServerCA.crt is not needed as
far as I know but the same issues still exist, the Server-Cert is
removed again on ipa-certupdate and fails.
I have tried this with setenforce 0
Cheers,
Matt
2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 02/14/2017 02:54 PM, Matt . wrote:
>>
>> Certs are valid, I will check what you mentioned.
>>
>> I'm also no fan of bundles, more the seperate files but this doesn't
>> seem to work always. At least for the CAroot a bundle was required.
>>
> Hi Matt,
>
> if your certificate was provided by an intermediate CA, you need to add each
> CA before running ipa-server-certinstall (start from the top-level CA with
> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate CA
> with ipa-cacert-manage install, then ipa-certupdate etc...)
>
> There is also a known issue with ipa-certupdate and SELinux in enforcing
> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>
> Flo.
>
>
>> Matt
>>
>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>> <dsullivan2 at bsd.uchicago.edu>:
>>>
>>> Have you validated the cert (and dumped the contents) from the command
>>> line using the openssl tools? I’ve seen the message you are seeing before,
>>> for some reason I seem to remember that it has to do with either a missing
>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>> CERTIFICATE---- (an error from copy and pasting and not copying the actual
>>> file).
>>>
>>> I’ve never used certupdate so if what is described above doesn’t help
>>> somebody else will have to chime in.
>>>
>>> Dan
>>>
>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>
>>>> Hi Dan,
>>>>
>>>> Ues i have tried that and I get the message that it misses the full
>>>> chain for the certificate.
>>>>
>>>> My issue is more, why is the Server-Cert being removed on a certupdate ?
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>
>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with the
>>>>> cert only (disclaimer: I’ve never done this).
>>>>>
>>>>> Dan
>>>>>
>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>
>>>>>> Hi Guys,
>>>>>>
>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>
>>>>>>
>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>
>>>>>> When I run the install command for the certificate itself:
>>>>>>
>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>> mydomain_com_bundle.crt
>>>>>> Directory Manager password:
>>>>>>
>>>>>> Enter private key unlock password:
>>>>>>
>>>>>> list index out of range
>>>>>> The ipa-server-certinstall command failed.
>>>>>>
>>>>>>
>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>
>>>>>> What can I do to solve this ?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list