[Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
System Administration Team
sys-admin at camgian.com
Mon Mar 27 16:19:42 UTC 2017
Fraser,
I cannot pass the DN or CN as part of the subject on the command line ipa-server-install
Ipa-server-install appears to set the CN to 'Certificate Authority' from the openssl output. I believe the preferred for a subCA should be the FQDN of the subCA server which is the ipa install.
The final error when I try to run ipa-server-install:
ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem
ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Thank You
Clark
>
>
Does the subject distinguished name in the signed certificate exactly match what was in the CSR?
2017-03-27 IPA Install
[root at ipa certs]# ipa-server-install --external-ca --domain=camgian.com --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>'
The log file for this installation can be found in /var/log/ipaserver-install.log ==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: ipa.camgian.com
IP address(es): 192.168.200.3
Domain name: camgian.com
Realm name: CAMGIAN.COM
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/47]: creating directory server user
[2/47]: creating directory server instance
[3/47]: updating configuration in dse.ldif
[4/47]: restarting directory server
[5/47]: adding default schema
[6/47]: enabling memberof plugin
[7/47]: enabling winsync plugin
[8/47]: configuring replication version plugin
[9/47]: enabling IPA enrollment plugin
[10/47]: enabling ldapi
[11/47]: configuring uniqueness plugin
[12/47]: configuring uuid plugin
[13/47]: configuring modrdn plugin
[14/47]: configuring DNS plugin
[15/47]: enabling entryUSN plugin
[16/47]: configuring lockout plugin
[17/47]: configuring topology plugin
[18/47]: creating indices
[19/47]: enabling referential integrity plugin
[20/47]: configuring certmap.conf
[21/47]: configure autobind for root
[22/47]: configure new location for managed entries
[23/47]: configure dirsrv ccache
[24/47]: enabling SASL mapping fallback
[25/47]: restarting directory server
[26/47]: adding sasl mappings to the directory
[27/47]: adding default layout
[28/47]: adding delegation layout
[29/47]: creating container for managed entries
[30/47]: configuring user private groups
[31/47]: configuring netgroups from hostgroups
[32/47]: creating default Sudo bind user
[33/47]: creating default Auto Member layout
[34/47]: adding range check plugin
[35/47]: creating default HBAC rule allow_all
[36/47]: adding sasl mappings to the directory
[37/47]: adding entries for topology management
[38/47]: initializing group membership
[39/47]: adding master entry
[40/47]: initializing domain level
[41/47]: configuring Posix uid/gid generation
[42/47]: adding replication acis
[43/47]: enabling compatibility plugin
[44/47]: activating sidgen plugin
[45/47]: activating extdom plugin
[46/47]: tuning directory server
[47/47]: configuring directory to start on boot Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/8]: creating certificate server user
[2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[root at ipa certs]#
[root at ipa certs]# openssl req -in /root/ipa.csr -noout -text Certificate Request:
Data:
Version: 0 (0x0)
Subject: mail=<REMOVED>, C=US, ST=Mississippi, L=Starkville, O=Camgian Microsystems, OU=IT, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<REMOVED FOR BREVITY>
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
<REMOVED FOR BREVITY>
[root at ipa certs]#
Sign ipa.csr
root at rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using configuration from openssl.cnf Enter pass phrase for /root/ca/private/ca.key.pem:
Check that the request matches the signature Signature ok Certificate Details:
Serial Number: 4099 (0x1003)
Validity
Not Before: Mar 27 15:49:18 2017 GMT
Not After : Mar 25 15:49:18 2027 GMT
Subject:
countryName = US
stateOrProvinceName = Mississippi
localityName = Starkville
organizationName = Camgian Microsystems
organizationalUnitName = IT
commonName = Certificate Authority
X509v3 extensions:
X509v3 Subject Key Identifier:
D3:FC:DE:2B:F8:5B:50:9B:31:68:92:D0:06:31:1B:F9:EB:63:B5:6A
X509v3 Authority Key Identifier:
keyid:60:1B:78:1A:BD:3C:97:78:A6:04:72:A0:FA:6E:11:48:55:B0:5B:40
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign Certificate is to be certified until Mar 25 15:49:18 2027 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root at rootCA:~/ca#
root at rootCA:~/ca# openssl x509 -noout -text -in /root/ca/intermediate/certs/ipa.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Mississippi, L=Starkville, O=Camgian Microsystems, OU=IT, CN=Camgian Microsystems Root CA/emailAddress=<removed>
Validity
Not Before: Mar 27 15:49:18 2017 GMT
Not After : Mar 25 15:49:18 2027 GMT
Subject: C=US, ST=Mississippi, L=Starkville, O=Camgian Microsystems, OU=IT, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<REMOVED FOR BREVITY>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D3:FC:DE:2B:F8:5B:50:9B:31:68:92:D0:06:31:1B:F9:EB:63:B5:6A
X509v3 Authority Key Identifier:
keyid:60:1B:78:1A:BD:3C:97:78:A6:04:72:A0:FA:6E:11:48:55:B0:5B:40
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
<REMOVED FOR BREVITY>
root at rootCA:~/ca#
[root at ipa certs]# ipa-server-install --domain=camgian.com --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>' --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem --external-cert-file=/etc/pki/tls/certs/ca.cert.pem
The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password:
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem
ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root at ipa certs]#
More information about the Freeipa-users
mailing list