[Freeipa-users] Cannot install 3rd party certificate

Florence Blanc-Renaud flo at redhat.com
Thu Feb 16 10:17:08 UTC 2017 

On 02/15/2017 05:40 PM, Matt . wrote:
> Hi,
>
> Is there any update on this ? I need to install 3 other instances but
> I would like to know upfront if it might be a bug.
>
Hi Matt,

I was not able to reproduce your issue. Here were my steps:

Install FreeIPA with self-signed cert:
ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD

The certificate chain is ca1 -> subca -> server.
Install the root CA:
kinit admin
ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
ipa-certupdate

Install the subca:
ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
ipa-certupdate

Install the server cert:
ipa-server-certinstall -d -w server.pem key.pem

ipa-certupdate basically retrieves the certificates from LDAP (below 
cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias 
but I don't remember it removing certs.

Can you check the content of your LDAP server?
kinit admin
ldapsearch -h `hostname` -p 389 -Y GSSAPI -b 
cn=certificates,cn=ipa,cn=etc,$BASEDN

It should contain one entry for each CA that you added.

Flo.
> Thanks,
>
> Matt
>
> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Florance,
>>
>> Sure I can, here you go:
>>
>> Fedora 24
>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>
>> I installed this server as self-signed CA
>>
>> Cheers,
>>
>> Matt
>>
>>
>>
>>
>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>
>>>> Hi Florance,
>>>>
>>>> Thanks for your update, good to see some good into about it. For
>>>> Comodo I have install all these:
>>>>
>>>> AddTrustExternalCARoot.crt
>>>> COMODORSAAddTrustCA.crt
>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>
>>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>> far as I know but the same issues still exist, the Server-Cert is
>>>> removed again on ipa-certupdate and fails.
>>>>
>>>> I have tried this with setenforce 0
>>>>
>>> Hi Matt,
>>>
>>> can you provide more info in order to reproduce the issue?
>>> - which OS are you using
>>> - IPA version
>>> - how did you install ipa server (CA-less or with self-signed CA or with
>>> externally-signed CA?)
>>>
>>> Thanks,
>>> Flo.
>>>
>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>
>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>
>>>>>>
>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>
>>>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> if your certificate was provided by an intermediate CA, you need to add
>>>>> each
>>>>> CA before running ipa-server-certinstall (start from the top-level CA
>>>>> with
>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
>>>>> CA
>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>
>>>>> There is also a known issue with ipa-certupdate and SELinux in enforcing
>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>
>>>>> Flo.
>>>>>
>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>
>>>>>>>
>>>>>>> Have you validated the cert (and dumped the contents) from the command
>>>>>>> line using the openssl tools?  I’ve seen the message you are seeing
>>>>>>> before,
>>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>>> missing
>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the
>>>>>>> actual
>>>>>>> file).
>>>>>>>
>>>>>>> I’ve never used certupdate so if what is described above doesn’t help
>>>>>>> somebody else will have to chime in.
>>>>>>>
>>>>>>> Dan
>>>>>>>
>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Dan,
>>>>>>>>
>>>>>>>> Ues i have tried that and I get the message that it misses the full
>>>>>>>> chain for the certificate.
>>>>>>>>
>>>>>>>> My issue is more, why is the Server-Cert being removed on a certupdate
>>>>>>>> ?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the
>>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>>
>>>>>>>>> Dan
>>>>>>>>>
>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Guys,
>>>>>>>>>>
>>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>>
>>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>>
>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>>> Directory Manager password:
>>>>>>>>>>
>>>>>>>>>> Enter private key unlock password:
>>>>>>>>>>
>>>>>>>>>> list index out of range
>>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>>
>>>>>>>>>> What can I do to solve this ?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Matt
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>

More information about the Freeipa-users mailing list