[Freeipa-users] Cannot install 3rd party certificate

Florence Blanc-Renaud flo at redhat.com
Thu Feb 16 22:55:50 UTC 2017 

On 02/16/2017 09:55 PM, Matt . wrote:
> Hi Flo! (if I may call you like that, saves some characters in typing
> but with this extra line it doesn't anymore :))
>
> This works perfectly, thank you very much.
>
Hi Matt,

glad I could help. What did you do differently that could explain the 
failure, though? Maybe the cert installation needs some hardening.

Flo.
> No questions further actually :)
>
> Cheers,
>
> Matt
>
> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>> On 02/15/2017 05:40 PM, Matt . wrote:
>>>
>>> Hi,
>>>
>>> Is there any update on this ? I need to install 3 other instances but
>>> I would like to know upfront if it might be a bug.
>>>
>> Hi Matt,
>>
>> I was not able to reproduce your issue. Here were my steps:
>>
>> Install FreeIPA with self-signed cert:
>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>
>> The certificate chain is ca1 -> subca -> server.
>> Install the root CA:
>> kinit admin
>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>> ipa-certupdate
>>
>> Install the subca:
>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>> ipa-certupdate
>>
>> Install the server cert:
>> ipa-server-certinstall -d -w server.pem key.pem
>>
>> ipa-certupdate basically retrieves the certificates from LDAP (below
>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
>> I don't remember it removing certs.
>>
>> Can you check the content of your LDAP server?
>> kinit admin
>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>
>> It should contain one entry for each CA that you added.
>>
>> Flo.
>>
>>> Thanks,
>>>
>>> Matt
>>>
>>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>
>>>> Hi Florance,
>>>>
>>>> Sure I can, here you go:
>>>>
>>>> Fedora 24
>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>>
>>>> I installed this server as self-signed CA
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>>
>>>>
>>>>
>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>
>>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>>
>>>>>>
>>>>>> Hi Florance,
>>>>>>
>>>>>> Thanks for your update, good to see some good into about it. For
>>>>>> Comodo I have install all these:
>>>>>>
>>>>>> AddTrustExternalCARoot.crt
>>>>>> COMODORSAAddTrustCA.crt
>>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>>
>>>>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>>> removed again on ipa-certupdate and fails.
>>>>>>
>>>>>> I have tried this with setenforce 0
>>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> can you provide more info in order to reproduce the issue?
>>>>> - which OS are you using
>>>>> - IPA version
>>>>> - how did you install ipa server (CA-less or with self-signed CA or with
>>>>> externally-signed CA?)
>>>>>
>>>>> Thanks,
>>>>> Flo.
>>>>>
>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>
>>>>>>>
>>>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>>>
>>>>>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>>>
>>>>>>> Hi Matt,
>>>>>>>
>>>>>>> if your certificate was provided by an intermediate CA, you need to
>>>>>>> add
>>>>>>> each
>>>>>>> CA before running ipa-server-certinstall (start from the top-level CA
>>>>>>> with
>>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the
>>>>>>> intermediate
>>>>>>> CA
>>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>>>
>>>>>>> There is also a known issue with ipa-certupdate and SELinux in
>>>>>>> enforcing
>>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>>>
>>>>>>> Flo.
>>>>>>>
>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Have you validated the cert (and dumped the contents) from the
>>>>>>>>> command
>>>>>>>>> line using the openssl tools?  I’ve seen the message you are seeing
>>>>>>>>> before,
>>>>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>>>>> missing
>>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the
>>>>>>>>> actual
>>>>>>>>> file).
>>>>>>>>>
>>>>>>>>> I’ve never used certupdate so if what is described above doesn’t
>>>>>>>>> help
>>>>>>>>> somebody else will have to chime in.
>>>>>>>>>
>>>>>>>>> Dan
>>>>>>>>>
>>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Dan,
>>>>>>>>>>
>>>>>>>>>> Ues i have tried that and I get the message that it misses the full
>>>>>>>>>> chain for the certificate.
>>>>>>>>>>
>>>>>>>>>> My issue is more, why is the Server-Cert being removed on a
>>>>>>>>>> certupdate
>>>>>>>>>> ?
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Matt
>>>>>>>>>>
>>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with
>>>>>>>>>>> the
>>>>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>>>>
>>>>>>>>>>> Dan
>>>>>>>>>>>
>>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Guys,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>>>>
>>>>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>>>>
>>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>>>>> Directory Manager password:
>>>>>>>>>>>>
>>>>>>>>>>>> Enter private key unlock password:
>>>>>>>>>>>>
>>>>>>>>>>>> list index out of range
>>>>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>>>>
>>>>>>>>>>>> What can I do to solve this ?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>
>>>>>>>>>>>> Matt
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>

More information about the Freeipa-users mailing list