[Freeipa-users] Cannot install 3rd party certificate

Tue Feb 14 16:59:49 UTC 2017

Hi Florance,

Sure I can, here you go:

Fedora 24
Freeipa VERSION: 4.4.2, API_VERSION: 2.215

I installed this server as self-signed CA

Cheers,

Matt

2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 02/14/2017 05:43 PM, Matt . wrote:
>>
>> Hi Florance,
>>
>> Thanks for your update, good to see some good into about it. For
>> Comodo I have install all these:
>>
>> AddTrustExternalCARoot.crt
>> COMODORSAAddTrustCA.crt
>> COMODORSADomainValidationSecureServerCA.crt
>>
>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>> far as I know but the same issues still exist, the Server-Cert is
>> removed again on ipa-certupdate and fails.
>>
>> I have tried this with setenforce 0
>>
> Hi Matt,
>
> can you provide more info in order to reproduce the issue?
> - which OS are you using
> - IPA version
> - how did you install ipa server (CA-less or with self-signed CA or with
> externally-signed CA?)
>
> Thanks,
> Flo.
>
>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>
>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>
>>>>
>>>> Certs are valid, I will check what you mentioned.
>>>>
>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>
>>> Hi Matt,
>>>
>>> if your certificate was provided by an intermediate CA, you need to add
>>> each
>>> CA before running ipa-server-certinstall (start from the top-level CA
>>> with
>>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
>>> CA
>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>
>>> There is also a known issue with ipa-certupdate and SELinux in enforcing
>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>
>>> Flo.
>>>
>>>
>>>> Matt
>>>>
>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>
>>>>>
>>>>> Have you validated the cert (and dumped the contents) from the command
>>>>> line using the openssl tools?  I’ve seen the message you are seeing
>>>>> before,
>>>>> for some reason I seem to remember that it has to do with either a
>>>>> missing
>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the
>>>>> actual
>>>>> file).
>>>>>
>>>>> I’ve never used certupdate so if what is described above doesn’t help
>>>>> somebody else will have to chime in.
>>>>>
>>>>> Dan
>>>>>
>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>
>>>>>> Hi Dan,
>>>>>>
>>>>>> Ues i have tried that and I get the message that it misses the full
>>>>>> chain for the certificate.
>>>>>>
>>>>>> My issue is more, why is the Server-Cert being removed on a certupdate
>>>>>> ?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>
>>>>>>>
>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the
>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>
>>>>>>> Dan
>>>>>>>
>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Guys,
>>>>>>>>
>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>
>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>
>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>> mydomain_com_bundle.crt
>>>>>>>> Directory Manager password:
>>>>>>>>
>>>>>>>> Enter private key unlock password:
>>>>>>>>
>>>>>>>> list index out of range
>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>
>>>>>>>>
>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>
>>>>>>>> What can I do to solve this ?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>
>