How would I validate that certs are getting added properly on a CentOS machine system wide store?
I’m going to test it today to find out if this is a problem unique to Ubuntu/CentOS. -Kevin > On Oct 9, 2019, at 10:44 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > > On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote: >> Seems to happen on both Ubuntu 16.04 and 18.04. >> >> $ lsb_release -a >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 16.04.6 LTS >> Release: 16.04 >> Codename: xenial >> >> $ firefox --version >> Mozilla Firefox 67.0.4 >> >> freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed] >> freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic] >> firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64 >> >> >> >> Ubuntu 18.04 machine: >> >> $ lsb_release -a >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 18.04.3 LTS >> Release: 18.04 >> Codename: bionic >> >> freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed] >> freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all >> [installed,automatic] >> firefox/bionic-updates,bionic-security,now >> 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed] >> >> Where is the system trust store located? I was going to validate that >> the freeipa ca.crt is added to the system trust store. If its not >> there how do you add the ca.crt to the system trust store? >> >> Should the ipa-install-client command add the system wide trust store? >> > Thanks for the details. I do not know about system trust on Ubuntu. > It could be that ipa-client on Ubuntu does add the IPA CA to system > trust, but the Firefox/Chrome packages ignore the system trust > store. > > Hopefully someone more familiar with Ubuntu can clarify. > > Cheers, > Fraser > >> I'll try this on CentOS tomorrow to see if its just an Ubuntu issue. >> >>> On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale <ftwee...@redhat.com> wrote: >>> >>> On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users >>> wrote: >>>> Hello, >>>> >>>> I’m wanting to make our https servers use a trusted certificate within our >>>> LAN only. So for example if I have websrv1.ny.example.com when a user uses >>>> a machine that’s enrolled into our realm and they visit >>>> https://websrv1.ny.example.com they shouldn’t be prompted to accept the >>>> self signed certificate. >>>> >>>> I think I’m pretty close but I’m missing a small part. >>>> >>>> The ipa server is all setup and working. Hosts are enrolled to ipa and >>>> have the /etc/ipa/ca.crt. >>>> >>>> I have created a service for the http server in IPA. I have obtained a >>>> .key file and .crt file for my web server. Those keys for the web server >>>> are in the appropriate location and the web server is pointing at the >>>> certs correctly. >>>> >>>> On my clients when I go to the web servers URl I am no longer getting a >>>> “self signed cert” error message in the browser. >>>> >>>> That message has now changed to “unverified certificate authority”. Which >>>> basically indicates to me that the browser doesn’t know if this >>>> certificate authority should/can be trusted. >>>> >>>> If i go in the browser (firefox or chrome) in the certificate authority >>>> section and import the /etc/ipa/ca.crt i get no errors in the browser >>>> about it being unverified. >>>> >>>> So my question is, what am I missing to make the /etc/ipa/ca.crt file >>>> globally available for browsers to pick up the certificate automatically? >>>> >>>> when we enroll a host we simply do >>>> >>>> freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir >>>> >>>> Accept the defaults, put in the password to enroll and that’s it. Is there >>>> something I’m missing? >>>> >>>> -Kevin >>>> >>> Looks like the browser is not using the system trust store. Please >>> provide full details of operating system and package versions for >>> both freeipa and browser packages. >>> >>> Cheers, >>> Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org