[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[Alexander Bokovoy via FreeIPA-users]

On ma, 24 helmi 2020, dmitriys via FreeIPA-users wrote:

Hi !
After you advice i did this :
#  kinit admin
# ipa ping
IPA server version 4.6.90.pre1+git20180411. API version 2.229
# ipa-cacert-manage -p 'Q*password' -n COMODO -t C,, install 
/home/addtrustexternalcaroot2.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

# ipa-certupdate
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140600762419792
ipapython.admintool: INFO: The ipa-certupdate command was successful


# ipa-server-certinstall -w -d /home/ldap_soft2bet_com.key /home/ldap_comodo.pem

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, 
exception: ScriptError: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

I think your primary issue is that on Ubuntu and Debian systems there is
no backend to handle system-wide certificate store in FreeIPA. This is
tracked by https://pagure.io/freeipa/issue/8106 and there is a pull
request https://github.com/freeipa/freeipa/pull/4102 that attempts to
add such support but Debian's way of adding certificates to a cert store
is not able to work with what IPA tools supply to it. Please see the
ticket and the PR to gain more knowledge about it.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org