On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote:
[root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias
[root@wocfreeipa ~]#
[root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca'
[root@wocfreeipa ~]# grep internal /etc/pki/pki-tomcat/password.conf
internal=3Tm~ofzwXXXXXXXXXXXX
[root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b "" -s base
-Y EXTERNAL
Please enter pin, password, or pass phrase for security token 'ldap(0)':
SASL/EXTERNAL authentication started
SASL username: cn=CA Subsystem,o=SAP.WINGON.HK <http://SAP.WINGON.HK>
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=sap,dc=wingon,dc=hk
namingContexts: o=ipaca
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
。。。。。。
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
It seems the connection established by Dogtag to 389 DS is correct.
But why dogtag complained "
*/Peer's certificate issuer has been marked as not trusted by the user./*
?
Weird.
Hi,
Dogtag has its own NSSDB and each of the sectigo CA certs need to be
present there, too:
$ certutil -A -d /etc/pki/pki-tomcat/alias -n <nick> -t CT,C,C -a -i
cert.pem
HTH,
flo
On Thu, Jun 18, 2020 at 9:31 AM luckydog xf <[email protected]
<mailto:[email protected]>> wrote:
The sad thing is that CA is expired on May 30, 2020. My IPA cannot
login in.
So I used certutil to remove old CAs. Here are steps I used.
Unfortunately, I didn't try the step you mentioned.
1. certutil -d /etc/http/alias -D -n Server-Cert
certutil -d /etc/http/alias -D -n < Other CAs of Comodo>
2. Do the same thing against /etc/dirsrv/slapd-xxx
3. Add new certs and CAs by:
cat server.key server.crt > server.all
openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all
-out Server-Cert.p12 -name "Server-Cert"
pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert
4. iptacl restart -f -d shows pki-tomcatd cannot start.
---------
Internal Database Error encountered:_Could not connect to LDAP
server host wocfreeipa.sap.wingon.hk
<http://wocfreeipa.sap.wingon.hk> port 636 _Error
netscape.ldap.LDAPException: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-8172) */Peer's certificate issuer has been marked as not trusted
by the user./* (-1)
So what's wrong ?
-------------
On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud
<[email protected] <mailto:[email protected]>> wrote:
On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote:
> Hi, As state in
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
>
> I cannot login in FreeIPA web page.
>
> So I update CA by :
>
> # delete everything except IPA CA of httpd and dirsrv
>
> certutil -d /etc/http/alias -D -n 'xxx'
>
> # ca-bundle.crt is 3 files named USERTrust, .etc.
>
> # server.all is an combination of my certificate signed by
Sectigo( fomerly named Comodo).
>
> openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in
server.all -out Server-Cert.p12 -name "Server-Cert"
>
> # add to httpd and dirsrv.
>
> pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert
>
> I restart all services by ipactl restart. But it seems
pki-tomcat fails to startup.
>
> #### log of ipactcl start ####
>
> Starting pki-tomcatd Service
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: request POST
http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus
> ipa: DEBUG: request body ''
> ipa: DEBUG: response status 500
> ipa: DEBUG: response headers Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 2208
> Date: Wed, 17 Jun 2020 09:13:19 GMT
> Connection: close
>
> ipa: DEBUG: response body '<html><head><title>Apache
Tomcat/7.0.76 - Error report</title><style><!--H1
{font-family:Tahoma,Arial,sans-s
> ......
>
> ipa: DEBUG: Failed to check CA status: Retrieving CA status
failed with status 500
> ipa: DEBUG: Waiting until the CA is running
>
> #### END of log #####
>
>
> Here is log of pki-tomcat
>
> ###
> Internal Database Error encountered: Could not connect to
LDAP server host wocfreeipa.sap.wingon.hk
<http://wocfreeipa.sap.wingon.hk> port 636 Error
netscape.ldap.LDAPException: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake
failed: (-8172) Peer's certificate issuer has been marked as not
trusted by the user. (-1)
>
> ###
>
> The point is ' Peer's certificate issuer has been marked as
not trusted by the user.' As far as I know pki-tomcat needs a
certificate to bind to 389 DS and store information.
>
> But I didn't touch CA named 'IPA CA', so basically
pki-tomcatd could use its own certificate named 'substemCert
cert-pki-ca' to bind to 389 DS.
>
> Please help.
Hi,
the new CA certs from Sectigo need to be installed with
ipa-cacert-manage install (the command uploads the certs in the
LDAP
database). For more information, please refer to "Installing a CA
Certificate Manually" [1].
As the chain contains multiple certs, you need to start from the
root
cert then go down the chain. When all the certs have been added,
don't
forget to run ipa-certupdate on all the IPA hosts (the command
downloads
the certs from LDAP and puts them in all the NSSDBs that need them).
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/manual-cert-install
>
> Thanks a lot.
>
>
> _______________________________________________
> FreeIPA-users mailing list --
[email protected]
<mailto:[email protected]>
> To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
