[Freeipa-users] Cannot install 3rd party certificate
Matt .
yamakasi.014 at gmail.com
Mon Feb 20 09:31:16 UTC 2017
Hi,
The install seems to be OK this way, but I'm still confused about the
duplicated and the RootCA.
Cheers,
Matt
2017-02-18 14:47 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
> Hi Florance,
>
>
> I'm actually stil investigating this as the following occurs.
>
> I have removed all unneeded certs and installed the 2 intermediates
> for Comodo and did an ipa-certupdate which results in this:
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot C,,
> ipaCert u,u,u
> COMODORSAAddTrustCA C,,
> COMODORSAAddTrustCA C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>
>
> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
> both and start over they are duplicated again. Also the
> AddTrustExternalCARoot comes back again even when this was not
> installed anymore as it's not needed.
>
> I'm able to install my cert after the update:
>
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot C,,
> ipaCert u,u,u
> COMODORSAAddTrustCA C,,
> COMODORSAAddTrustCA C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u
>
>
>
> Now this works great for the WebGui which uses the right Certificate
> for the ssl connection but ldaps on port 636 seems to use:
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
>
>
> Do you have any clue about this ?
>
> I'm also curious about what IPA syncs between all hosts, it seems to
> be only the Intermediate certs and not the install domains
> certificate, this needs to be installed manually after a local
> #ipa-certupdate on each node ?
>
> I hope you can clearify this out.
>
>
> Thanks,
>
> Matt
>
>
> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Flo,
>>
>> Sure I can, I will look through the steps closely tomorrow and will
>> create some lineup here.
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>
>>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>>> but with this extra line it doesn't anymore :))
>>>>
>>>> This works perfectly, thank you very much.
>>>>
>>> Hi Matt,
>>>
>>> glad I could help. What did you do differently that could explain the
>>> failure, though? Maybe the cert installation needs some hardening.
>>>
>>> Flo.
>>>
>>>> No questions further actually :)
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>
>>>>> On 02/15/2017 05:40 PM, Matt . wrote:
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Is there any update on this ? I need to install 3 other instances but
>>>>>> I would like to know upfront if it might be a bug.
>>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> I was not able to reproduce your issue. Here were my steps:
>>>>>
>>>>> Install FreeIPA with self-signed cert:
>>>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>>>
>>>>> The certificate chain is ca1 -> subca -> server.
>>>>> Install the root CA:
>>>>> kinit admin
>>>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>>>> ipa-certupdate
>>>>>
>>>>> Install the subca:
>>>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>>>>> ipa-certupdate
>>>>>
>>>>> Install the server cert:
>>>>> ipa-server-certinstall -d -w server.pem key.pem
>>>>>
>>>>> ipa-certupdate basically retrieves the certificates from LDAP (below
>>>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
>>>>> but
>>>>> I don't remember it removing certs.
>>>>>
>>>>> Can you check the content of your LDAP server?
>>>>> kinit admin
>>>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>>>>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>>>>
>>>>> It should contain one entry for each CA that you added.
>>>>>
>>>>> Flo.
>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>
>>>>>>>
>>>>>>> Hi Florance,
>>>>>>>
>>>>>>> Sure I can, here you go:
>>>>>>>
>>>>>>> Fedora 24
>>>>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>>>>>
>>>>>>> I installed this server as self-signed CA
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Florance,
>>>>>>>>>
>>>>>>>>> Thanks for your update, good to see some good into about it. For
>>>>>>>>> Comodo I have install all these:
>>>>>>>>>
>>>>>>>>> AddTrustExternalCARoot.crt
>>>>>>>>> COMODORSAAddTrustCA.crt
>>>>>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>>>>>
>>>>>>>>> Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>>>>>> removed again on ipa-certupdate and fails.
>>>>>>>>>
>>>>>>>>> I have tried this with setenforce 0
>>>>>>>>>
>>>>>>>> Hi Matt,
>>>>>>>>
>>>>>>>> can you provide more info in order to reproduce the issue?
>>>>>>>> - which OS are you using
>>>>>>>> - IPA version
>>>>>>>> - how did you install ipa server (CA-less or with self-signed CA or
>>>>>>>> with
>>>>>>>> externally-signed CA?)
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Flo.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>>>>>>
>>>>>>>>>>> I'm also no fan of bundles, more the seperate files but this
>>>>>>>>>>> doesn't
>>>>>>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>>>>>>
>>>>>>>>>> Hi Matt,
>>>>>>>>>>
>>>>>>>>>> if your certificate was provided by an intermediate CA, you need to
>>>>>>>>>> add
>>>>>>>>>> each
>>>>>>>>>> CA before running ipa-server-certinstall (start from the top-level
>>>>>>>>>> CA
>>>>>>>>>> with
>>>>>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the
>>>>>>>>>> intermediate
>>>>>>>>>> CA
>>>>>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>>>>>>
>>>>>>>>>> There is also a known issue with ipa-certupdate and SELinux in
>>>>>>>>>> enforcing
>>>>>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>>>>>>
>>>>>>>>>> Flo.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Matt
>>>>>>>>>>>
>>>>>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Have you validated the cert (and dumped the contents) from the
>>>>>>>>>>>> command
>>>>>>>>>>>> line using the openssl tools? I’ve seen the message you are
>>>>>>>>>>>> seeing
>>>>>>>>>>>> before,
>>>>>>>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>>>>>>>> missing
>>>>>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
>>>>>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying
>>>>>>>>>>>> the
>>>>>>>>>>>> actual
>>>>>>>>>>>> file).
>>>>>>>>>>>>
>>>>>>>>>>>> I’ve never used certupdate so if what is described above doesn’t
>>>>>>>>>>>> help
>>>>>>>>>>>> somebody else will have to chime in.
>>>>>>>>>>>>
>>>>>>>>>>>> Dan
>>>>>>>>>>>>
>>>>>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Dan,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Ues i have tried that and I get the message that it misses the
>>>>>>>>>>>>> full
>>>>>>>>>>>>> chain for the certificate.
>>>>>>>>>>>>>
>>>>>>>>>>>>> My issue is more, why is the Server-Cert being removed on a
>>>>>>>>>>>>> certupdate
>>>>>>>>>>>>> ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>>>>>>>> <dsullivan2 at bsd.uchicago.edu>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Dan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi.014 at gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Guys,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>>>>>>>> Directory Manager password:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Enter private key unlock password:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> list index out of range
>>>>>>>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What can I do to solve this ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>
>>>
More information about the Freeipa-users
mailing list