On 08/30/2017 08:26 PM, Rob Morin wrote:
I ran this command firstly:

The G2 root CA from Geotrust website..........

[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt -t C,, install root_ca.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful


Then, I ran....

[root@auth-1 certs]# ipa-certupdate
trying https://auth-1.domain.com/ipa/session/json
Forwarding 'ca_is_enabled' to json server 'https://auth-1.domain.com/ipa/session/json' Forwarding 'ca_find/1' to json server 'https://auth-1.domain.com/ipa/session/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


Then i ran this command with intermediate cert..........

[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt_bundle -t C,, install star_domain_com_bundle.crt
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

The intermediate cert only has one cert in it....

SO i have 4 files;
Intermediate cert:  star_domain_bundle.crt
Real cert             :  star_domain.crt
Key                     :  star_domain.key

I did try various combinations

cat star_domain_bundle.crt star_domain.crt >star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt > star_domain_combined.crt
cat root_ca.crt star_domain.crt star_domain_bundle.crt > star_domain_combined.crt cat star_domain.crt star_domain_bundle.crt root_ca.crt star > star_domain_combined.crt
and so on...

Then i tried adding each one of those with the same command mentioned above, no go

What do i do now?
Thanks!


Hi

(putting the mailing back in the recipients lsit)
can you run ipa-cacert-manage install with the -v option and post the output? We will be able to see which certificates are already trusted and can be downloaded from LDAP.

Also, which IPA version are you using? Is your machine in SElinux enforcing mode?

Flo



On Mon, Aug 28, 2017 at 10:30 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote:

    On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote:

        Hello all...

        So i have a wildcard cert from geotrust.
        I am running freeipa V4.4 fresh install no users yet
        I downloaded and installed their  GeoTrust Primary Certification
        Authority root cert from here  -->
        https://www.geotrust.com/resources/root-certificates/
        <https://www.geotrust.com/resources/root-certificates/>
        I ran this command to import it...

        ipa-cacert-manage -p password -n httpcrt -t C,, install root_ca.crt

        I get back this ;

        Installing CA certificate, please wait
        CA certificate successfully installed
        The ipa-cacert-manage command was successful
        Then i go to install just the http cert for freeipa as dictated
        by company policy

        Then I run this...

        ipa-certupdate

        Then i go to add the cert like this...

        ipa-server-certinstall -w star_domain_com.key star_domain_com.crt
        Directory Manager password:
        Enter private key unlock password:

        I get this back....

        The full certificate chain is not present in
        star_domain_com.key, star_domain_com.crt
        The ipa-server-certinstall command failed.

        So I combined the bundle and cert into one file, still a no go ,
        i tried bot ways cert first then bundle, and bundle first then
        cert, still a no go.
        Any ideas?

        Thanks..
        _______________________________________________
        FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
        To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>

    Hi,

    is your http cert directly signed by the CA root_ca.crt, or does the
    cert chain contain additional certificates? In the latter case, you
    need to add each intermediate certificate with ipa-cacert-manage +
    ipa-certupdate before running ipa-server-certinstall.

    HTH,
    Flo




--

--

Rob Morin
Montreal, Canada

The Lounge Sound - Music to drink by - Vegas Style!

http://www.theloungesound.ca

"You're not drunk until you can't lie on the floor without holding on"
Dean Martin


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to