randrewg--- via FreeIPA-users wrote: > Hello! > > Guys, I had set up FreeIPA 4.5 on Centos 7 with self-signed SSL cert. > Now I want to install my main wildcard cert (from Comodo CA) for domain where > IPA-server located, just for web-service, so web browsers won't complain to > users about ssl. > As expected - when I'm trying to do: > > # ipa-server-certinstall -w comodo.crt comodo.key > > I'm getting: > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's > Certificate issuer is not recognized.). Please run ipa-cacert-manage install > and ipa-certupdate to install the CA certificate. > The ipa-server-certinstall command failed. > > I've found on > https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2 > all CA certs for Comodo and set them up via > > # ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt > # ipa-certupdate > > As pointed on > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > But nontheless, when I'm trying after it - ipa-server-certinstall, I get > above error anyway. > > I'm starting to go crazy with it and don't know what should I do to solve > this :(
IPA requires the full chain. What I tend to do is grab the subject from the server cert and find the issuer, then look at the issuer of that, and continue working backwards until I find the self-signed original CA. Install all those CA certs and things should work. Their bundles usually don't have the full chains because most other servers don't do the full chain checking that IPA does (because we've been burned too many times we are a bit twitchy about it). rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
