[Freeipa-users] Cannot install 3rd party certificate
Florence Blanc-Renaud
flo at redhat.com
Tue Feb 14 16:54:09 UTC 2017
On 02/14/2017 05:43 PM, Matt . wrote:
> Hi Florance,
>
> Thanks for your update, good to see some good into about it. For
> Comodo I have install all these:
>
> AddTrustExternalCARoot.crt
> COMODORSAAddTrustCA.crt
> COMODORSADomainValidationSecureServerCA.crt
>
> Where COMODORSADomainValidationSecureServerCA.crt is not needed as
> far as I know but the same issues still exist, the Server-Cert is
> removed again on ipa-certupdate and fails.
>
> I have tried this with setenforce 0
>
Hi Matt,
can you provide more info in order to reproduce the issue?
- which OS are you using
- IPA version
- how did you install ipa server (CA-less or with self-signed CA or with
externally-signed CA?)
Thanks,
Flo.
> Cheers,
>
> Matt
>
> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>
>>> Certs are valid, I will check what you mentioned.
>>>
>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>> seem to work always. At least for the CAroot a bundle was required.
>>>
>> Hi Matt,
>>
>> if your certificate was provided by an intermediate CA, you need to add each
>> CA before running ipa-server-certinstall (start from the top-level CA with
>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate CA
>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>
>> There is also a known issue with ipa-certupdate and SELinux in enforcing
>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>
>> Flo.
>>
>>
>>> Matt
>>>
>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>
>>>> Have you validated the cert (and dumped the contents) from the command
>>>> line using the openssl tools? I’ve seen the message you are seeing before,
>>>> for some reason I seem to remember that it has to do with either a missing
>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>> CERTIFICATE---- (an error from copy and pasting and not copying the actual
>>>> file).
>>>>
>>>> I’ve never used certupdate so if what is described above doesn’t help
>>>> somebody else will have to chime in.
>>>>
>>>> Dan
>>>>
>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>
>>>>> Hi Dan,
>>>>>
>>>>> Ues i have tried that and I get the message that it misses the full
>>>>> chain for the certificate.
>>>>>
>>>>> My issue is more, why is the Server-Cert being removed on a certupdate ?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>
>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with the
>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>
>>>>>>> Hi Guys,
>>>>>>>
>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>
>>>>>>>
>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>
>>>>>>> When I run the install command for the certificate itself:
>>>>>>>
>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>> mydomain_com_bundle.crt
>>>>>>> Directory Manager password:
>>>>>>>
>>>>>>> Enter private key unlock password:
>>>>>>>
>>>>>>> list index out of range
>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>
>>>>>>>
>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>
>>>>>>> What can I do to solve this ?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>
>>>
>>
More information about the Freeipa-users
mailing list