On 12/01/2017 10:22 AM, Andrew Radygin via FreeIPA-users wrote:
Wow, Flo!!!
You were right, there was such cert with another key.
Done that in such way:
ldapdelete "cn=Comodo3,cn=certificates,cn=ipa,cn=etc,dc=domain,dc=net"
/usr/bin/certutil -d /etc/ipa/nssdb -D -n Comodo3
/usr/bin/certutil -d /etc/httpd/alias/ -D -n Comodo3
ipa-cacert-manager install comodo_inter2.crt
ipa-server-certinstall -w comodo_base.crt comodo.key comodo_ca.crt
systemctl restart httpd

Thank you, really-really thank you! :)

Well, thank you for providing confirmation that you managed to fix the issue. It's always nice to be able to close a thread on a positive outcome!

Flo
2017-12-01 11:40 GMT+03:00 Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>:

    On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote:

        Does anybody have any clue about what I have to do with it?
        Florence?
        Should I delete self-sign SSL from ipa-server CA completely?
        As I understood - there is some conflict between new CA and old,
        am I right?

    Hi,

    can you check if there are other certificates with the same subject
    name "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited,
    CN=COMODO RSA Domain Validation Secure Server CA" in the ldap tree
    (below cn=certificates,cn=ipa,cn=etc,$BASEDN), or in /etc/httpd/alias?
    The error seems to indicate that there is already a cert with this
    name but that is using a different key.

    If it is the case, you can remove it with ldapdelete then certutil
    -D and retry to run ipa-cacert-manage install.

    Flo

        2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users
        <freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
        <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>>:


             > On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users
        wrote:
             >
             > Hi,
             >
             > no need to start over with a different nickname if the
        certificates are
             > already in LDAP. "ipa-cacert-manage install" adds them in
        the LDAP
             > server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I
        would start by
             > checking if they are all present there:
             > ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b
             > cn=certificates,cn=ipa,cn=etc,$BASEDN
             > (replace BASEDN with your deployment's basedn that can be
        found in
             > /etc/ipa/default.conf)
             >
             > The entries will also contain an attribute ipakeytrust
        (either trusted
             > or distrusted). Please check that they are all trusted.

             All CA's in ldap directory have 'ipaKeyTrust: trusted'.

             > That is expected as ipa-certupdate
             > retrieves the certs from LDAP and
             > installs them in the /etc/httpd/alias NSS database.
             >
             > You can supply multiple files to ipa-server-certinstall,
        containing the
             > cert, the key, and the cert chain. For instance
             > ipa-server-certinstall -w server.cert server.key cachain.cert
             > where server.cert contains only the cert, server.key only
        the key, and
             > cachain.cert contains the root, inter1 and inter2 certs.

             Got it!

             Wow, I found what I missed.
             One of the certs from chain isn't adding with forllowing error:

             # ipa-cacert-manage -p 2xHKp17zQpdG -n Comodointer2 -t C,,
        install
             comodo_inter2.crt
             Installing CA certificate, please wait
             Failed to install the certificate: subject public key info
        mismatch
             The ipa-cacert-manage command failed.

             Probably this is root cause of the problem, but it's not
        clear for
             me how to resolve it.
             From
        https://www.freeipa.org/page/Troubleshooting
        <https://www.freeipa.org/page/Troubleshooting>
             <https://www.freeipa.org/page/Troubleshooting
        <https://www.freeipa.org/page/Troubleshooting>>
             I found description of the error:

             Subject public key info mismatch
                  The new CA certificate issued by the external CA uses a
             different public / private key pair than the old CA
        certificate.

             But nothing about how to fix it...

              > Flo
             _______________________________________________
             FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
             <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>
             To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>
             <mailto:freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>>




-- Best regards, Andrew.


        _______________________________________________
        FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
        To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>





--
Best regards, Andrew.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to