[Freeipa-users] Cannot install 3rd party certificate

Matt . yamakasi.014 at gmail.com
Thu Feb 16 23:15:08 UTC 2017 

Hi Flo,

Sure I can, I will look through the steps closely tomorrow and will
create some lineup here.

Cheers,

Matt

2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 02/16/2017 09:55 PM, Matt . wrote:
>>
>> Hi Flo! (if I may call you like that, saves some characters in typing
>> but with this extra line it doesn't anymore :))
>>
>> This works perfectly, thank you very much.
>>
> Hi Matt,
>
> glad I could help. What did you do differently that could explain the
> failure, though? Maybe the cert installation needs some hardening.
>
> Flo.
>
>> No questions further actually :)
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>
>>> On 02/15/2017 05:40 PM, Matt . wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> Is there any update on this ? I need to install 3 other instances but
>>>> I would like to know upfront if it might be a bug.
>>>>
>>> Hi Matt,
>>>
>>> I was not able to reproduce your issue. Here were my steps:
>>>
>>> Install FreeIPA with self-signed cert:
>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>
>>> The certificate chain is ca1 -> subca -> server.
>>> Install the root CA:
>>> kinit admin
>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>> ipa-certupdate
>>>
>>> Install the subca:
>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>>> ipa-certupdate
>>>
>>> Install the server cert:
>>> ipa-server-certinstall -d -w server.pem key.pem
>>>
>>> ipa-certupdate basically retrieves the certificates from LDAP (below
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
>>> but
>>> I don't remember it removing certs.
>>>
>>> Can you check the content of your LDAP server?
>>> kinit admin
>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>>
>>> It should contain one entry for each CA that you added.
>>>
>>> Flo.
>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>
>>>>>
>>>>> Hi Florance,
>>>>>
>>>>> Sure I can, here you go:
>>>>>
>>>>> Fedora 24
>>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>>>
>>>>> I installed this server as self-signed CA
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>
>>>>>>
>>>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi Florance,
>>>>>>>
>>>>>>> Thanks for your update, good to see some good into about it. For
>>>>>>> Comodo I have install all these:
>>>>>>>
>>>>>>> AddTrustExternalCARoot.crt
>>>>>>> COMODORSAAddTrustCA.crt
>>>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>>>
>>>>>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>>>> removed again on ipa-certupdate and fails.
>>>>>>>
>>>>>>> I have tried this with setenforce 0
>>>>>>>
>>>>>> Hi Matt,
>>>>>>
>>>>>> can you provide more info in order to reproduce the issue?
>>>>>> - which OS are you using
>>>>>> - IPA version
>>>>>> - how did you install ipa server (CA-less or with self-signed CA or
>>>>>> with
>>>>>> externally-signed CA?)
>>>>>>
>>>>>> Thanks,
>>>>>> Flo.
>>>>>>
>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>>>>
>>>>>>>>> I'm also no fan of bundles, more the seperate files but this
>>>>>>>>> doesn't
>>>>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>>>>
>>>>>>>> Hi Matt,
>>>>>>>>
>>>>>>>> if your certificate was provided by an intermediate CA, you need to
>>>>>>>> add
>>>>>>>> each
>>>>>>>> CA before running ipa-server-certinstall (start from the top-level
>>>>>>>> CA
>>>>>>>> with
>>>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the
>>>>>>>> intermediate
>>>>>>>> CA
>>>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>>>>
>>>>>>>> There is also a known issue with ipa-certupdate and SELinux in
>>>>>>>> enforcing
>>>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>>>>
>>>>>>>> Flo.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Have you validated the cert (and dumped the contents) from the
>>>>>>>>>> command
>>>>>>>>>> line using the openssl tools?  I’ve seen the message you are
>>>>>>>>>> seeing
>>>>>>>>>> before,
>>>>>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>>>>>> missing
>>>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying
>>>>>>>>>> the
>>>>>>>>>> actual
>>>>>>>>>> file).
>>>>>>>>>>
>>>>>>>>>> I’ve never used certupdate so if what is described above doesn’t
>>>>>>>>>> help
>>>>>>>>>> somebody else will have to chime in.
>>>>>>>>>>
>>>>>>>>>> Dan
>>>>>>>>>>
>>>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Dan,
>>>>>>>>>>>
>>>>>>>>>>> Ues i have tried that and I get the message that it misses the
>>>>>>>>>>> full
>>>>>>>>>>> chain for the certificate.
>>>>>>>>>>>
>>>>>>>>>>> My issue is more, why is the Server-Cert being removed on a
>>>>>>>>>>> certupdate
>>>>>>>>>>> ?
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>>
>>>>>>>>>>> Matt
>>>>>>>>>>>
>>>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with
>>>>>>>>>>>> the
>>>>>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>>>>>
>>>>>>>>>>>> Dan
>>>>>>>>>>>>
>>>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Guys,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>>>>>
>>>>>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>>>>>> Directory Manager password:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Enter private key unlock password:
>>>>>>>>>>>>>
>>>>>>>>>>>>> list index out of range
>>>>>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What can I do to solve this ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>
>

More information about the Freeipa-users mailing list