Hi, On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users < [email protected]> wrote:
> Hi Rob, > > As mentioned in my previous response, here is the error upon executing > ipa-cacert-manage install > Please let me know if any other details required on this > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt > Installing CA certificate, please wait > Not a valid CA certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > The ipa-cacert-manage command failed. > When you received the certs from the external CA authority, you received multiple files. I'm guessing that 1f1f7ab616938168.crt contains your server certificate and that's the file you will provide to the ipa-server-certinstall command. There is another file, gd_bundle-g2-g1.crt, which probably contains the external CA chain. This is the file you need to provide to ipa-cacert-manage install tool. Please don't forget to specify the trust flags for this command: ipa-cacert-manage install -t CT,C,C <CA cert> Also note, if the crt file contains multiple certificates, you will have to separate them and install them one by one with ipa-cacert-manage. Hope this helps, flo [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem > Installing CA certificate, please wait > Not a valid CA certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > The ipa-cacert-manage command failed. > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt > Installing CA certificate, please wait > (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to > be initialized, or has been removed. > The ipa-cacert-manage command failed. > > Regards > ManidepSai > > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: 07 July 2023 00:16 > To: Polavarapu Manideep Sai <[email protected]>; FreeIPA users > list <[email protected]> > Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > Polavarapu Manideep Sai wrote: > > Here are the answers for the questions asked > > > > > > 1.You submitted a single CSR and got two certficates back? > > Yes, I have shared single CSR and got two certificates back. > > > > 2. What does "tomcat name" mean? Is it using a different key? > > > > Here are the certificate details: > > > > Received these two zip files > > > > 1. ipa.example.com_Apache.zip > > 2. ipa.example.com_TOMCAT.zip > > > > [root@ Certificates]# tree > > . > > ├── Apache > > │ ├── 1f1f7ab616938168.crt > > │ ├── 1f1f7ab616938168.pem > > │ └── gd_bundle-g2-g1.crt > > └── Tomcat > > ├── 1f1f7ab616938168.crt > > ├── 1f1f7ab616938168.pem > > ├── gd_bundle-g2-g1.crt > > └── gdig2.crt.pem > > > > > > 3. Do you intend on replacing the server certificate for the CA as well? > If so, why? > > You have to first install the CA chain using ipa-cacert-manage install > /path/to/file. > > Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. > > Apologies for shouting but if you fail to do this step then any > non-updated machines may not trust the new IPA Apache cert and that would > be bad. > > Assuming the chain they provided is complete that should resolve the > ipa-server-certinstall issue. > > rob > > > > > NO > > > > Regards > > Sai > > > > > > > > -----Original Message----- > > From: Polavarapu Manideep Sai via FreeIPA-users > > <[email protected]> > > Sent: 06 July 2023 22:28 > > To: Rob Crittenden <[email protected]>; FreeIPA users list > > <[email protected]> > > Cc: Polavarapu Manideep Sai <[email protected]> > > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates > > for HTTP or LDAP > > > > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > > > > > > Hi Rob, > > > > Thanks for the reply, Here are the errors up on including .pem , > > please let us know if more details required on this > > > > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key > gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: > > > > Enter private key unlock password: > > > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) > Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage > install and ipa-certupdate to install the CA certificate. > > The ipa-server-certinstall command failed. > > > > ====================================================================== > > ======= Tried to run ipa-cacert-manage install > > > > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem > Installing CA certificate, please wait Not a valid CA certificate: not a CA > certificate (visit http://www.freeipa.org/page/Troubleshooting for > troubleshooting guide) The ipa-cacert-manage command failed. > > [root@ Apache]# > > > > ==================================================== > > > > > > [root@ Apache]# > > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias > > > > Certificate Nickname Trust > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > Server-Cert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > caSigningCert cert-pki-ca CTu,Cu,Cu > > [root@ Apache]# > > > > > > [root@ Apache]# certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname Trust > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > IPA.EXAMPLE.COM IPA CA CT,C,C > > [root@ Apache]# > > [root@ Apache]# > > > > > > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > > > > Certificate Nickname Trust > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > IPA.EXAMPLE.COM IPA CA CT,C,C > > [root@ Apache]# > > > > =========================================================== > > > > > > > > Regards > > Sai > > > > -----Original Message----- > > From: Rob Crittenden <[email protected]> > > Sent: 06 July 2023 20:55 > > To: FreeIPA users list <[email protected]> > > Cc: Polavarapu Manideep Sai <[email protected]> > > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates > > for HTTP or LDAP > > > > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: > >> Hi Team, > >> > >> > >> > >> I have generated central.csr and central.key in my ipa server and > >> shared this central.csr to third-party certificate authority and i > >> got certificates from certificate authority with two directories one > >> as apache directory and it's certificates are 1f1f7ab616938168.crt, > >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory > >> with tomcat name and its certficates are 1f1f7ab616938168.crt, > >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i > >> want to install these certficates in my ipa server can you please > >> guide on the same ? > > > > The process you describe is a little hard to follow. You submitted a > single CSR and got two certficates back? What does "tomcat name" mean? > > Is it using a different key? Do you intend on replacing the server > certificate for the CA as well? If so, why? > > > >> > >> I tried this, but getting the below error, can you please share the > >> steps to install this SSL certficates > >> > >> > >> > >> [root@ Apache]# ipa --version > >> > >> VERSION: 4.5.0, API_VERSION: 2.228 > >> > >> > >> > >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt > >> > >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key > >> gd_bundle-g2-g1.crt > >> > >> Directory Manager password: > >> > >> > >> > >> Enter private key unlock password: > >> > >> > >> > >> No matching certificate found for private key from central.key > > > > You didn't include the server certificate file you got, ex. > > 1f1f7ab616938168.pem > > > > rob > > > > > > ________________________________ > > > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all > reasonable precaution to minimize the risk arising there from is taken by > OnMobile. OnMobile is not liable for any damage sustained by you as a > result of any virus in this e-mail. All applicable virus checks should be > carried out by you before opening this e-mail or any attachment thereto. > > Thank you - OnMobile Global Limited. > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > > [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > ahosted.org Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > ________________________________ > > > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all > reasonable precaution to minimize the risk arising there from is taken by > OnMobile. OnMobile is not liable for any damage sustained by you as a > result of any virus in this e-mail. All applicable virus checks should be > carried out by you before opening this e-mail or any attachment thereto. > > Thank you - OnMobile Global Limited. > > > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all > reasonable precaution to minimize the risk arising there from is taken by > OnMobile. OnMobile is not liable for any damage sustained by you as a > result of any virus in this e-mail. All applicable virus checks should be > carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
