A followup on this: This isn't "fixed"... But I have worked around the error by disabling CRL checking in Windows. Here's a link with the workaround I used, and more specific information on the error I encountered: https://www.petenetlive.com/KB/Article/0001144
On Fri, Mar 18, 2022 at 8:12 PM Tyrell Jentink <[email protected]> wrote: > Thank you for your assistance! > > :/ The suspicion is that my certs are wrong? As opposed to just telling > Windows where to find the CRL? Lame... > > OK, let's investigate! I was neither good at obscuring my domain heiarchy, > nor did it end up mattering if I have to share my certs, so let's give up > on that. > > At my network edge, my firewall is redirecting all outbound DNS traffic to > a DNS Forwarder at my edge network. I'm also pointing dc.rxrhouse.net to > that edge DNS Forwarder directly. That edge DNS Forwarder is blocking > lookups to rxrhouse.net, that way none of the lookups leak to public > resolvers and never get my public DNS records. I do own the domain. It's > just that IPA whined when it could find my public records without NS > delegations. I have no intention of any of this being on the public > internet... > > I have an IPA server at dc.rxrhouse.net, serving rxrhouse.net's DNS > internally, serveing DNS at that tier of the heiarchy, delegating > lin.rxrhouse.net and win.rxrhouse.net as NS records and A records to > pdc.win.rxrhouse.net and pdc.lin.rxrhouse.net. > > dc.rxrhouse.net is the Root CA, dc.rxrhouse.net's root certificate > (Certificate #1 in IPAs Certificate Manager) is attached as > dc_rxrhouse_net-root.crt. > > On dc.rxrhouse.net, I created a SubCA profile. I got it's config from > here: > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > I also added win.rxrhouse.net and lin.rxrhouse.net as Host Principals, > and as noted below, added ADCS' default CN as a Host Alias to > win.rxrhouse.net's Host Principal. > > Under that, I have a pdc.lin.rxrhouse.net... I installed that as a > Subordinate CA, and signed it's CSR with dc.rxrhouse.net, and installed > that cert back to pdx.lin.rxrhouse.net, and it seems to work fine... I > mean, it's running, it isn't giving any errors... I don't know how it is > relevant, but that cert is attached as pdc_lin_rxrhouse_net-root.crt > > pdc.win.rxrhouse is a Windows Server (With GUI Features) 2022 Active > Directory Domain Services server. It has my users and Windows hosts > associated with it; Once certs are working, pdc.win.rxrhouse will be > Interforest Trusted with pdc.lin.rxrhouse.net, so Linux hosts have > Windows users. pdc.win.rxrhouse.net seems to work, doesn't give me any > grief, but it doesn't have a cert, cuz it gets it's cert from ADCS... > > stb.win.rxrhouse.net is where I'm having my problems... It is simply a > Windows Server Core 2022 Active Directory Certificate Services server, and > I domain joined it, and made the Enterprise Administrator a local > Administrator. I installed ADCS by adding the Role, I did the post > installation wizard selecting Enterprise, Subordinate CA. I've been through > this a bunch of times, and could not get Windows to accept " > win.rxrhouse.net" as the CN as I had used lin.rxrhkuse.net on > pdc.lin.rxrhouse.net... By "Not accept," I mean that Windows WOULD accept > it, finish the install, but then when I came back with a signed cert, it > would give nondescript errors about "The specified file could not be > found." SO, ultimately, I accepted it's default CN, added that default to > dc.rxrhouse.net as a Host Alias so that it would sign the CSR, installed > the cert back to Windows, Windows prompted for the root certificate, I > provided the one mentioned and attached above, which Windows accepted, but > with the warning that the CRL couldn't be found for verification. The > certificate server process didn't run, and when I tried running it > manually, I got the same warning about not being able to find / verify the > CRL. The Windows errors have really proven to be non-descript :/ Google > hasn't been a ton of help... Anyway, THAT cert is attached as > stb_win_rxrhouse_net-root.crt > > Of course, there are more certs in the chain... Should I have given > Windows more of them? Should I not have jumped straight to #1, the root? > Should I have perhaps given the CA Agent cert first? Is there perhaps a > single cert file that has the entire chain in it? > > If the error is honest, I just need to tell Windows the location of the > CRL... Windows doesn't have a "CRL Distribution Point (CDP)" configured... > But even I have my own doubts that it's a relevant data point. > > On Sun, Mar 13, 2022, 23:44 Fraser Tweedale <[email protected]> wrote: > >> On Fri, Mar 11, 2022 at 09:59:48PM -0800, Tyrell Jentink via >> FreeIPA-users wrote: >> > I am primarily a Linux admin, and this might be a Windows problem... In >> > fact, this might not even be the right forum for me to be asking this >> > question, but I don't know which Windows forum would give me the time of >> > day, so I'm here... I might also try some Windows Reddit groups... :p >> The >> > following domain names are obscured to protect the wicked; I know not to >> > use fake domains ;) >> > >> > I have an IPA server called dc.domain.local, an ActiveDirectory >> Directory >> > Server called pdc.win.domain.local, and a ActiveDirectory Certificate >> > Server called pki.win.domain.local. I am trying to configure the ADDS >> as a >> > subdomain of the IPA domain. I am using A and NS Records to delegate the >> > subdomain name. I am NOT attempting to create a interforest trust >> between >> > these two domains at this time (Although, as an aside, there will >> > eventually be another IPA server at pdc.lin.rxrhouse.net for subdomain >> > lin.domain.local, and THAT one will have an interforest trust with >> > win.rxrhouse.net; If IPA-IPA Trusts ever become a "thing", the top >> domain >> > will get trusts to both subdomains, but for now, pki.win.domain.local >> only >> > needs to 1) have a signed subordinate certificate from dc.domain.local, >> and >> > 2) run). As I have been able to get it, ADCS seems to be installed with >> a >> > signed cert, but it won't run. >> > >> > I installed ADCS as an Enterprise Subordinate CA; Based on >> > >> https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html, >> I >> > added win.domain.local as a host principal on IPA. I used that >> principal to >> > sign the CSR, which worked fine. I installed that certificate back to >> AD. >> > AD prompted for the Root Certificate, which I provided, and AD warned >> that >> > it couldn't verify the chain of trust because it couldn't contact a CRL. >> > >> Hi Tyrell, >> >> The blog post you linked is about the opposite thing you said you >> are trying to do. That post is about installing FreeIPA CA as a >> subordinate of an AD-CS CA. But you are talking about the opposite >> thing - AD-CS as a subordinate of IPA. >> >> I'd suggest to share the certificate itself, so we can inspect them >> and try to identify the problem. And sharing the exact steps on the >> IPA side that you used to create the certificate profile, create the >> CSR, and issue the certificate. >> >> Thanks, >> Fraser >> >> > But now ADCS won't start... Every time I try to start it, it complains, >> > again, that it can't reach a CRL. >> > >> > In Windows Server Manager, in Certificate Authority manager (CertSrv), >> > right click on the CA tree, under Properties... I see that all of the >> CRL >> > Distribution Points (CDPs) and AIAs are their default, non-configured >> > forms... It's my crude guess that I need to be pointing those values to >> > IPA? The example is of the form >> > http:// >> <ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, >> > if that hint prompts anyone's thinking... >> > >> > Even if you have a suggestion of another forum to ask this on, I'm all >> > ears. Thank you for your assistance! >> > >> > -- >> > Tyrell Jentink >> >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> > To unsubscribe send an email to >> [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >> -- Tyrell Jentink tyrell.jentink.net
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
