[Freeipa-users] Cannot install 3rd party certificate

Matt . yamakasi.014 at gmail.com
Thu Feb 16 20:55:45 UTC 2017 

Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.

No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 02/15/2017 05:40 PM, Matt . wrote:
>>
>> Hi,
>>
>> Is there any update on this ? I need to install 3 other instances but
>> I would like to know upfront if it might be a bug.
>>
> Hi Matt,
>
> I was not able to reproduce your issue. Here were my steps:
>
> Install FreeIPA with self-signed cert:
> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>
> The certificate chain is ca1 -> subca -> server.
> Install the root CA:
> kinit admin
> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
> ipa-certupdate
>
> Install the subca:
> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
> ipa-certupdate
>
> Install the server cert:
> ipa-server-certinstall -d -w server.pem key.pem
>
> ipa-certupdate basically retrieves the certificates from LDAP (below
> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
> I don't remember it removing certs.
>
> Can you check the content of your LDAP server?
> kinit admin
> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
> cn=certificates,cn=ipa,cn=etc,$BASEDN
>
> It should contain one entry for each CA that you added.
>
> Flo.
>
>> Thanks,
>>
>> Matt
>>
>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>
>>> Hi Florance,
>>>
>>> Sure I can, here you go:
>>>
>>> Fedora 24
>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>
>>> I installed this server as self-signed CA
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>>
>>>
>>>
>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>
>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>
>>>>>
>>>>> Hi Florance,
>>>>>
>>>>> Thanks for your update, good to see some good into about it. For
>>>>> Comodo I have install all these:
>>>>>
>>>>> AddTrustExternalCARoot.crt
>>>>> COMODORSAAddTrustCA.crt
>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>
>>>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>> removed again on ipa-certupdate and fails.
>>>>>
>>>>> I have tried this with setenforce 0
>>>>>
>>>> Hi Matt,
>>>>
>>>> can you provide more info in order to reproduce the issue?
>>>> - which OS are you using
>>>> - IPA version
>>>> - how did you install ipa server (CA-less or with self-signed CA or with
>>>> externally-signed CA?)
>>>>
>>>> Thanks,
>>>> Flo.
>>>>
>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>
>>>>>>
>>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>>
>>>>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>>
>>>>>> Hi Matt,
>>>>>>
>>>>>> if your certificate was provided by an intermediate CA, you need to
>>>>>> add
>>>>>> each
>>>>>> CA before running ipa-server-certinstall (start from the top-level CA
>>>>>> with
>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the
>>>>>> intermediate
>>>>>> CA
>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>>
>>>>>> There is also a known issue with ipa-certupdate and SELinux in
>>>>>> enforcing
>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>>
>>>>>> Flo.
>>>>>>
>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Have you validated the cert (and dumped the contents) from the
>>>>>>>> command
>>>>>>>> line using the openssl tools?  I’ve seen the message you are seeing
>>>>>>>> before,
>>>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>>>> missing
>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the
>>>>>>>> actual
>>>>>>>> file).
>>>>>>>>
>>>>>>>> I’ve never used certupdate so if what is described above doesn’t
>>>>>>>> help
>>>>>>>> somebody else will have to chime in.
>>>>>>>>
>>>>>>>> Dan
>>>>>>>>
>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi Dan,
>>>>>>>>>
>>>>>>>>> Ues i have tried that and I get the message that it misses the full
>>>>>>>>> chain for the certificate.
>>>>>>>>>
>>>>>>>>> My issue is more, why is the Server-Cert being removed on a
>>>>>>>>> certupdate
>>>>>>>>> ?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with
>>>>>>>>>> the
>>>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>>>
>>>>>>>>>> Dan
>>>>>>>>>>
>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Guys,
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>>>
>>>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>>>
>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>>>> Directory Manager password:
>>>>>>>>>>>
>>>>>>>>>>> Enter private key unlock password:
>>>>>>>>>>>
>>>>>>>>>>> list index out of range
>>>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>>>
>>>>>>>>>>> What can I do to solve this ?
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Matt
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>

More information about the Freeipa-users mailing list