[Freeipa-users] Cannot install 3rd party certificate
Matt .
yamakasi.014 at gmail.com
Sat Feb 18 13:47:18 UTC 2017
Hi Florance,
I'm actually stil investigating this as the following occurs.
I have removed all unneeded certs and installed the 2 intermediates
for Comodo and did an ipa-certupdate which results in this:
#certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
AddTrustExternalCARoot C,,
ipaCert u,u,u
COMODORSAAddTrustCA C,,
COMODORSAAddTrustCA C,,
IPA.MYDOMAIN.TLD IPA CA CT,C,C
I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
both and start over they are duplicated again. Also the
AddTrustExternalCARoot comes back again even when this was not
installed anymore as it's not needed.
I'm able to install my cert after the update:
#certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
AddTrustExternalCARoot C,,
ipaCert u,u,u
COMODORSAAddTrustCA C,,
COMODORSAAddTrustCA C,,
IPA.MYDOMAIN.TLD IPA CA CT,C,C
CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u
Now this works great for the WebGui which uses the right Certificate
for the ssl connection but ldaps on port 636 seems to use:
CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Do you have any clue about this ?
I'm also curious about what IPA syncs between all hosts, it seems to
be only the Intermediate certs and not the install domains
certificate, this needs to be installed manually after a local
#ipa-certupdate on each node ?
I hope you can clearify this out.
Thanks,
Matt
2017-02-17 0:15 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> Hi Flo,
>
> Sure I can, I will look through the steps closely tomorrow and will
> create some lineup here.
>
> Cheers,
>
> Matt
>
> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>
>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>> but with this extra line it doesn't anymore :))
>>>
>>> This works perfectly, thank you very much.
>>>
>> Hi Matt,
>>
>> glad I could help. What did you do differently that could explain the
>> failure, though? Maybe the cert installation needs some hardening.
>>
>> Flo.
>>
>>> No questions further actually :)
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>
>>>> On 02/15/2017 05:40 PM, Matt . wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Is there any update on this ? I need to install 3 other instances but
>>>>> I would like to know upfront if it might be a bug.
>>>>>
>>>> Hi Matt,
>>>>
>>>> I was not able to reproduce your issue. Here were my steps:
>>>>
>>>> Install FreeIPA with self-signed cert:
>>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>>
>>>> The certificate chain is ca1 -> subca -> server.
>>>> Install the root CA:
>>>> kinit admin
>>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>>> ipa-certupdate
>>>>
>>>> Install the subca:
>>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>>>> ipa-certupdate
>>>>
>>>> Install the server cert:
>>>> ipa-server-certinstall -d -w server.pem key.pem
>>>>
>>>> ipa-certupdate basically retrieves the certificates from LDAP (below
>>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
>>>> but
>>>> I don't remember it removing certs.
>>>>
>>>> Can you check the content of your LDAP server?
>>>> kinit admin
>>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>>>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>>>
>>>> It should contain one entry for each CA that you added.
>>>>
>>>> Flo.
>>>>
>>>>> Thanks,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>
>>>>>>
>>>>>> Hi Florance,
>>>>>>
>>>>>> Sure I can, here you go:
>>>>>>
>>>>>> Fedora 24
>>>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>>>>
>>>>>> I installed this server as self-signed CA
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>
>>>>>>>
>>>>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Florance,
>>>>>>>>
>>>>>>>> Thanks for your update, good to see some good into about it. For
>>>>>>>> Comodo I have install all these:
>>>>>>>>
>>>>>>>> AddTrustExternalCARoot.crt
>>>>>>>> COMODORSAAddTrustCA.crt
>>>>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>>>>
>>>>>>>> Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>>>>> removed again on ipa-certupdate and fails.
>>>>>>>>
>>>>>>>> I have tried this with setenforce 0
>>>>>>>>
>>>>>>> Hi Matt,
>>>>>>>
>>>>>>> can you provide more info in order to reproduce the issue?
>>>>>>> - which OS are you using
>>>>>>> - IPA version
>>>>>>> - how did you install ipa server (CA-less or with self-signed CA or
>>>>>>> with
>>>>>>> externally-signed CA?)
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Flo.
>>>>>>>
>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>>>>>
>>>>>>>>>> I'm also no fan of bundles, more the seperate files but this
>>>>>>>>>> doesn't
>>>>>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>>>>>
>>>>>>>>> Hi Matt,
>>>>>>>>>
>>>>>>>>> if your certificate was provided by an intermediate CA, you need to
>>>>>>>>> add
>>>>>>>>> each
>>>>>>>>> CA before running ipa-server-certinstall (start from the top-level
>>>>>>>>> CA
>>>>>>>>> with
>>>>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the
>>>>>>>>> intermediate
>>>>>>>>> CA
>>>>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>>>>>
>>>>>>>>> There is also a known issue with ipa-certupdate and SELinux in
>>>>>>>>> enforcing
>>>>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>>>>>
>>>>>>>>> Flo.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Matt
>>>>>>>>>>
>>>>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Have you validated the cert (and dumped the contents) from the
>>>>>>>>>>> command
>>>>>>>>>>> line using the openssl tools? I’ve seen the message you are
>>>>>>>>>>> seeing
>>>>>>>>>>> before,
>>>>>>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>>>>>>> missing
>>>>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying
>>>>>>>>>>> the
>>>>>>>>>>> actual
>>>>>>>>>>> file).
>>>>>>>>>>>
>>>>>>>>>>> I’ve never used certupdate so if what is described above doesn’t
>>>>>>>>>>> help
>>>>>>>>>>> somebody else will have to chime in.
>>>>>>>>>>>
>>>>>>>>>>> Dan
>>>>>>>>>>>
>>>>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Dan,
>>>>>>>>>>>>
>>>>>>>>>>>> Ues i have tried that and I get the message that it misses the
>>>>>>>>>>>> full
>>>>>>>>>>>> chain for the certificate.
>>>>>>>>>>>>
>>>>>>>>>>>> My issue is more, why is the Server-Cert being removed on a
>>>>>>>>>>>> certupdate
>>>>>>>>>>>> ?
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>
>>>>>>>>>>>> Matt
>>>>>>>>>>>>
>>>>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with
>>>>>>>>>>>>> the
>>>>>>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>>>>>>
>>>>>>>>>>>>> Dan
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Guys,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>>>>>>> Directory Manager password:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Enter private key unlock password:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> list index out of range
>>>>>>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What can I do to solve this ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>
>>
More information about the Freeipa-users
mailing list