I have attached the files to this response. On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden <rcrit...@redhat.com> wrote:
> Kristian Petersen via FreeIPA-users wrote: > > They aren't in one file. But the server cert's issuer is the subject of > > the DigiCert.crt file. I have already tried adding just the > > Digicert.crt file only to have it tell me it's Peer's Certificate isn't > > trusted. I don't even know what certificate that is talking about. > > Can you share the files? > > rob > > > > > On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Kristian Petersen wrote: > > > Rob, > > > > > > After investigating the certs as you had suggested, I do have the > > whole > > > chain. The server cert has as its issuer: > > > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com > > <http://www.digicert.com> > > > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance > Server CA > > > > > > And the DigiCert.crt file has as its issuer and subject: > > > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com > > <http://www.digicert.com> > > > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance > Server CA > > > Subject: C = US, O = DigiCert Inc, OU = www.digicert.com > > <http://www.digicert.com> > > > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance > Server CA > > > > > > Am I missing something here? > > > > So you have the whole chain in one file? Try adding them > individually, > > starting at the root. > > > > rob > > > > > > > > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > > > Kristian Petersen wrote: > > > > New but related question: Iff I just want to add new LDAP > > and HTTPS > > > > certs (not replacing the current ones) I know that can be > > done. I > > > read > > > > an article from Florence Blanc-Renaud that mentions it, but > > I ran into > > > > some errors and I'm trying to troubleshoot them. When I ran > > > > ipa-server-certinstall and gave it the key I generated and > > the crt > > > file > > > > I got from Digicert it said the entire chain was not > > present. So > > > then I > > > > tried including the DigiCertCA.crt file as well, however, I > got > > > the same > > > > result. > > > > > > > > I next tried adding the DigiCert certificate to IPA > > > > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, > install > > > > DigiCertCA.crt > > > > This also failed giving an error that the cert was invalid > > because the > > > > Peer's Certificate issuer was not recognized. Any thoughts > > about > > > what I > > > > might have missed? > > > > > > You don't have the full chain. It can be tricky to find the > > whole list > > > even on CA's that make it relatively easy. > > > > > > What you want to do is use a tool like openssl x509 to display > the > > > subject and issuer: > > > > > > openssl x509 -text -noout -in /path/to/cert > > > > > > I'd start with the server cert you've been issued. Find a > > matching CA > > > cert where the subject of the CA cert matches the issuer on the > > > server cert. > > > > > > Then find another CA cert whose subject matches the issuer of > > the bottom > > > of the chain, and work upwards until you find a CA cert where > > the issuer > > > and subject match. Then you've found the root. That plus the > other > > > matching CA certs is your chain. > > > > > > I'll also note about the "add but not replace" the LDAP and > > Web certs. > > > There can only be one active. You can certainly use different > > physical > > > files and nicknames to store the new certs but only one set is > > active at > > > a time. > > > > > > rob > > > > > > > > > > > > > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden > > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> wrote: > > > > > > > > Kristian Petersen via FreeIPA-users wrote: > > > > > That outlines the options, but not why I should or > > shouldn't use > > > > any of > > > > > them. That is more of what I am looking for. > > > > > > > > It's less benefit analysis and more forced by internal > > > requirements. > > > > > > > > Often an organization already has a CA and wants any > > > additional CA's to > > > > be subordinates. > > > > > > > > The downsides of an external CA is some additional > > complexity. > > > > > > > > Installation can be more difficult (users often have > issues > > > getting > > > > their external CA to properly sign the IPA CSR), dealing > > with > > > a longer > > > > certificate chain and being bound by the expiration date > > of the > > > > external CA. > > > > > > > > rob > > > > > > > > > > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami > > > <fc...@redhat.com <mailto:fc...@redhat.com> > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com>> > > > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com> > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com>>> > > > > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com> > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com>> > > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com> > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com>>>>> wrote: > > > > > > > > > > Hi, > > > > > > > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen > via > > > > FreeIPA-users > > > > > <freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>>> wrote: > > > > > > > > > > > > Hey y'all, > > > > > > > > > > > > What are the pros and cons of using and external > or > > > internal CA > > > > > for FreeIPA/IdM? I am trying to decide which to > > do but > > > having > > > > > trouble finding a lot of info about why I would > > want to > > > do one or > > > > > the other. > > > > > > > > > > The choices are documented there: > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server > > > > > > > > > > François > > > > > > > > > > > Thanks in advance! > > > > > > > > > > > > -- > > > > > > Kristian Petersen > > > > > > System Administrator > > > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > _______________________________________________ > > > > > > FreeIPA-users mailing list -- > > > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > > To unsubscribe send an email to > > > > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>>>> > > > > > > Fedora Code of Conduct: > > > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > > List Guidelines: > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > List Archives: > > > > > > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > > > > > > > > > -- > > > > > Kristian Petersen > > > > > System Administrator > > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > > > > > > > _______________________________________________ > > > > > FreeIPA-users mailing list -- > > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > To unsubscribe send an email to > > > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>>> > > > > > Fedora Code of Conduct: > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > List Guidelines: > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > > > > > > > > > > -- > > > > Kristian Petersen > > > > System Administrator > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
DigiCertCA.crt
Description: application/x509-ca-cert
odin_chem_byu_edu.crt
Description: application/x509-ca-cert
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org