[Freeipa-users] Cannot install 3rd party certificate

Wed Feb 15 16:40:38 UTC 2017

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> Hi Florance,
>
> Sure I can, here you go:
>
> Fedora 24
> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>
> I installed this server as self-signed CA
>
> Cheers,
>
> Matt
>
>
>
>
> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>
>>> Hi Florance,
>>>
>>> Thanks for your update, good to see some good into about it. For
>>> Comodo I have install all these:
>>>
>>> AddTrustExternalCARoot.crt
>>> COMODORSAAddTrustCA.crt
>>> COMODORSADomainValidationSecureServerCA.crt
>>>
>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>> far as I know but the same issues still exist, the Server-Cert is
>>> removed again on ipa-certupdate and fails.
>>>
>>> I have tried this with setenforce 0
>>>
>> Hi Matt,
>>
>> can you provide more info in order to reproduce the issue?
>> - which OS are you using
>> - IPA version
>> - how did you install ipa server (CA-less or with self-signed CA or with
>> externally-signed CA?)
>>
>> Thanks,
>> Flo.
>>
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>
>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>
>>>>>
>>>>> Certs are valid, I will check what you mentioned.
>>>>>
>>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>
>>>> Hi Matt,
>>>>
>>>> if your certificate was provided by an intermediate CA, you need to add
>>>> each
>>>> CA before running ipa-server-certinstall (start from the top-level CA
>>>> with
>>>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
>>>> CA
>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>
>>>> There is also a known issue with ipa-certupdate and SELinux in enforcing
>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>
>>>> Flo.
>>>>
>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>
>>>>>>
>>>>>> Have you validated the cert (and dumped the contents) from the command
>>>>>> line using the openssl tools?  I’ve seen the message you are seeing
>>>>>> before,
>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>> missing
>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the
>>>>>> actual
>>>>>> file).
>>>>>>
>>>>>> I’ve never used certupdate so if what is described above doesn’t help
>>>>>> somebody else will have to chime in.
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>
>>>>>>> Hi Dan,
>>>>>>>
>>>>>>> Ues i have tried that and I get the message that it misses the full
>>>>>>> chain for the certificate.
>>>>>>>
>>>>>>> My issue is more, why is the Server-Cert being removed on a certupdate
>>>>>>> ?
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>
>>>>>>>>
>>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the
>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>
>>>>>>>> Dan
>>>>>>>>
>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi Guys,
>>>>>>>>>
>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>
>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>
>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>> Directory Manager password:
>>>>>>>>>
>>>>>>>>> Enter private key unlock password:
>>>>>>>>>
>>>>>>>>> list index out of range
>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>
>>>>>>>>> What can I do to solve this ?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>