On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote:
Does anybody have any clue about what I have to do with it? Florence?
Should I delete self-sign SSL from ipa-server CA completely?
As I understood - there is some conflict between new CA and old, am I right?

Hi,

can you check if there are other certificates with the same subject name "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA" in the ldap tree (below cn=certificates,cn=ipa,cn=etc,$BASEDN), or in /etc/httpd/alias? The error seems to indicate that there is already a cert with this name but that is using a different key.

If it is the case, you can remove it with ldapdelete then certutil -D and retry to run ipa-cacert-manage install.

Flo

2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>:

    > On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
    >
    > Hi,
    >
    > no need to start over with a different nickname if the certificates are
    > already in LDAP. "ipa-cacert-manage install" adds them in the LDAP
    > server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would start by
    > checking if they are all present there:
    > ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b
    > cn=certificates,cn=ipa,cn=etc,$BASEDN
    > (replace BASEDN with your deployment's basedn that can be found in
    > /etc/ipa/default.conf)
    >
    > The entries will also contain an attribute ipakeytrust (either trusted
    > or distrusted). Please check that they are all trusted.

    All CA's in ldap directory have 'ipaKeyTrust: trusted'.

    > That is expected as ipa-certupdate
    > retrieves the certs from LDAP and
    > installs them in the /etc/httpd/alias NSS database.
    >
    > You can supply multiple files to ipa-server-certinstall, containing the
    > cert, the key, and the cert chain. For instance
    > ipa-server-certinstall -w server.cert server.key cachain.cert
    > where server.cert contains only the cert, server.key only the key, and
    > cachain.cert contains the root, inter1 and inter2 certs.

    Got it!

    Wow, I found what I missed.
    One of the certs from chain isn't adding with forllowing error:

    # ipa-cacert-manage -p 2xHKp17zQpdG -n Comodointer2 -t C,, install
    comodo_inter2.crt
    Installing CA certificate, please wait
    Failed to install the certificate: subject public key info mismatch
    The ipa-cacert-manage command failed.

    Probably this is root cause of the problem, but it's not clear for
    me how to resolve it.
    From
    https://www.freeipa.org/page/Troubleshooting
    <https://www.freeipa.org/page/Troubleshooting>
    I found description of the error:

    Subject public key info mismatch
         The new CA certificate issued by the external CA uses a
    different public / private key pair than the old CA certificate.

    But nothing about how to fix it...

     > Flo
    _______________________________________________
    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>




--
Best regards, Andrew.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to