[Freeipa-users] Cannot install 3rd party certificate

Matt . yamakasi.014 at gmail.com
Tue Feb 21 15:31:51 UTC 2017 

Hi Flo,

Yes it does! Thanks for that. Is it not possible to remove a
certificate fully as it always syncs this way ? Or remove it from
/etc/httpd/alias, then from ldap and then sync again ?

Cheers,

Matt

2017-02-21 9:03 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 02/20/2017 04:09 PM, Matt . wrote:
>>
>> Hi Rob,
>>
>> Yes it does, I understood that there was some reason the duplicate
>> might exist, but I wonder more why does the RootCA show up when I
>> removed it and comes back after adding the two intermediates ?
>>
> Hi Matt,
>
> when ipa-cacert-manage install is run, it adds an LDAP entry for the new CA
> certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN.
> When ipa-certupdate is run, it adds all the certificates found in
> cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias.
> So even if you remove one certificate from /etc/httpd/alias, the next
> ipa-certupdate command will re-add this CA cert if it is still present in
> LDAP.
>
> Hope this clarifies,
> Flo.
>
>
>
>> Thanks
>>
>> Matt
>>
>>
>> 2017-02-20 15:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>
>>> Matt . wrote:
>>>>
>>>> Hi,
>>>>
>>>> The install seems to be OK this way, but I'm still confused about the
>>>> duplicated and the RootCA.
>>>
>>>
>>> What does this show?
>>>
>>> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>>>
>>> I'm guessing it will show two certs with different serial numbers, which
>>> means this is a-ok.
>>>
>>> rob
>>>
>>>>
>>>> 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>
>>>>> Hi Florance,
>>>>>
>>>>>
>>>>> I'm actually stil investigating this as the following occurs.
>>>>>
>>>>> I have removed all unneeded certs and installed the 2 intermediates
>>>>> for Comodo and did an ipa-certupdate which results in this:
>>>>>
>>>>> #certutil -L -d /etc/httpd/alias
>>>>>
>>>>> Certificate Nickname                                         Trust
>>>>> Attributes
>>>>>
>>>>> SSL,S/MIME,JAR/XPI
>>>>>
>>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>>>> AddTrustExternalCARoot                                       C,,
>>>>> ipaCert                                                      u,u,u
>>>>> COMODORSAAddTrustCA                                          C,,
>>>>> COMODORSAAddTrustCA                                          C,,
>>>>> IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
>>>>>
>>>>>
>>>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>>>>> both and start over they are duplicated again. Also the
>>>>> AddTrustExternalCARoot comes back again even when this was not
>>>>> installed anymore as it's not needed.
>>>>>
>>>>> I'm able to install my cert after the update:
>>>>>
>>>>>
>>>>> #certutil -L -d /etc/httpd/alias
>>>>>
>>>>> Certificate Nickname                                         Trust
>>>>> Attributes
>>>>>
>>>>> SSL,S/MIME,JAR/XPI
>>>>>
>>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>>>> AddTrustExternalCARoot                                       C,,
>>>>> ipaCert                                                      u,u,u
>>>>> COMODORSAAddTrustCA                                          C,,
>>>>> COMODORSAAddTrustCA                                          C,,
>>>>> IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
>>>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control
>>>>> Validated u,u,u
>>>>>
>>>>>
>>>>>
>>>>> Now this works great for the WebGui which uses the right Certificate
>>>>> for the ssl connection but ldaps on port 636 seems to use:
>>>>>
>>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>>>>
>>>>>
>>>>> Do you have any clue about this ?
>>>>>
>>>>> I'm also curious about what IPA syncs between all hosts, it seems to
>>>>> be only the Intermediate certs and not the install domains
>>>>> certificate, this needs to be installed manually after a local
>>>>> #ipa-certupdate on each node ?
>>>>>
>>>>> I hope you can clearify this out.
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>
>>>>>> Hi Flo,
>>>>>>
>>>>>> Sure I can, I will look through the steps closely tomorrow and will
>>>>>> create some lineup here.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>
>>>>>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Flo! (if I may call you like that, saves some characters in
>>>>>>>> typing
>>>>>>>> but with this extra line it doesn't anymore :))
>>>>>>>>
>>>>>>>> This works perfectly, thank you very much.
>>>>>>>>
>>>>>>> Hi Matt,
>>>>>>>
>>>>>>> glad I could help. What did you do differently that could explain the
>>>>>>> failure, though? Maybe the cert installation needs some hardening.
>>>>>>>
>>>>>>> Flo.
>>>>>>>
>>>>>>>> No questions further actually :)
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>>>
>>>>>>>>>
>>>
>

More information about the Freeipa-users mailing list