Polavarapu Manideep Sai wrote: > Hi Florence, > > > > As per your suggestion, I have done the same > > > > This crt gd_bundle-g2-g1.crt having multiple certificates i.e. 3 > certificates[ 1^st .crt, 2^nd .crt and 3^rd .crt] , installed using > below commands and also executed > > > > > > ipa-cacert-manage install -t CT,C,C 1st.crt [ It was failed ] > > ipa-cacert-manage install -t CT,C,C 2nd.crt [ it was successful] > > ipa-cacert-manage install -t CT,C,C 3rd.crt [ it was successful] > > ipa-cacert-manage -p XXXX Server-Cert -t C,, install > /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt [it was successful] > > > > > > I executed this, and certificates got installed into /etc/httpd/alias/ , > /etc/dirsrv/slapd-IPA-DOMAIN-COM and /etc/pki/pki-tomcat/alias/ > databases as shown below > > > > Can you see the error during the ipa-certupdate , /usr/bin/certutil > commands returned non zero codes > > > > > > [root@central ~]# > > [root@central ~]# ipa-cacert-manage -p XXXX Server-Cert -t C,, install > /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt > > Installing CA certificate, please wait > > CA certificate successfully installed > > The ipa-cacert-manage command was successful > > [root@central ~]# > > [root@central ~]# > > > > [root@central ~]# > > [root@central ~]# > > [root@central ~]# certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US CT,C,C > > Server-Cert u,u,u > > IPA.DOMAIN.COM IPA CA CT,C,C > > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C > > [root@central ~]# > > [root@central ~]# > > > > [root@central ~]# > > [root@central ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-COM > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US CT,C,C > > IPA.DOMAIN.COM IPA CA CT,C,C > > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C > > [root@central ~]# > > [root@central ~]# > > > > > > [root@central ~]# ipa-certupdate > > > > trying https://central.ipa.DOMAIN.com/ipa/json > > [try 1]: Forwarding 'ca_is_enabled' to json server > 'https://central.ipa.DOMAIN.com/ipa/json' > > [try 1]: Forwarding 'ca_find/1' to json server > 'https://central.ipa.DOMAIN.com/ipa/json' > > failed to update Server-Cert in /etc/dirsrv/slapd-IPA-DOMAIN-COM: > Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-DOMAIN-COM -A -n > Server-Cert -t C,, -f /etc/dirsrv/slapd-IPA-DOMAIN-COM/pwdfile.txt' > returned non-zero exit status 255 > > failed to update Server-Cert in /etc/httpd/alias: Command > '/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t C,, -f > /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 > > Systemwide CA database updated. > > Systemwide CA database updated. > > The ipa-certupdate command was successful
You apparently added the cert/nickname Server-Cert as a CA certificate with ipa-cacert-manage which is conflicting with the real server certificate during ipa-certupdate. What version of IPA do you have? If it's reasonably up-to-date you can see what you have installed using: ipa-cacert-manage list. rob > > > > > > Regards > > Sai > > > > > > *From:*Florence Blanc-Renaud <[email protected]> > *Sent:* 07 July 2023 11:19 > *To:* FreeIPA users list <[email protected]> > *Cc:* Rob Crittenden <[email protected]>; Polavarapu Manideep Sai > <[email protected]> > *Subject:* Re: [Freeipa-users] Re: Help-Installing Third-Party > Certificates for HTTP or LDAP > > > > > > *CAUTION.*This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > Hi, > > > > On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > Hi Rob, > > As mentioned in my previous response, here is the error upon > executing ipa-cacert-manage install > Please let me know if any other details required on this > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt > Installing CA certificate, please wait > Not a valid CA certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > The ipa-cacert-manage command failed. > > > > When you received the certs from the external CA authority, you received > multiple files. I'm guessing that 1f1f7ab616938168.crt contains your > server certificate and that's the file you will provide to the > ipa-server-certinstall command. > > There is another file, gd_bundle-g2-g1.crt, which probably contains the > external CA chain. This is the file you need to provide to > ipa-cacert-manage install tool. Please don't forget to specify the trust > flags for this command: > > ipa-cacert-manage install -t CT,C,C <CA cert> > > Also note, if the crt file contains multiple certificates, you will have > to separate them and install them one by one with ipa-cacert-manage. > > > > Hope this helps, > > flo > > > > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem > Installing CA certificate, please wait > Not a valid CA certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > The ipa-cacert-manage command failed. > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# > [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt > Installing CA certificate, please wait > (SEC_ERROR_NO_TOKEN) The security card or token does not exist, > needs to be initialized, or has been removed. > The ipa-cacert-manage command failed. > > Regards > ManidepSai > > > -----Original Message----- > From: Rob Crittenden <[email protected] <mailto:[email protected]>> > Sent: 07 July 2023 00:16 > To: Polavarapu Manideep Sai <[email protected] > <mailto:[email protected]>>; FreeIPA users list > <[email protected] > <mailto:[email protected]>> > Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party > Certificates for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > Polavarapu Manideep Sai wrote: > > Here are the answers for the questions asked > > > > > > 1.You submitted a single CSR and got two certficates back? > > Yes, I have shared single CSR and got two certificates back. > > > > 2. What does "tomcat name" mean? Is it using a different key? > > > > Here are the certificate details: > > > > Received these two zip files > > > > 1. ipa.example.com_Apache.zip > > 2. ipa.example.com_TOMCAT.zip > > > > [root@ Certificates]# tree > > . > > ├── Apache > > │ ├── 1f1f7ab616938168.crt > > │ ├── 1f1f7ab616938168.pem > > │ └── gd_bundle-g2-g1.crt > > └── Tomcat > > ├── 1f1f7ab616938168.crt > > ├── 1f1f7ab616938168.pem > > ├── gd_bundle-g2-g1.crt > > └── gdig2.crt.pem > > > > > > 3. Do you intend on replacing the server certificate for the CA as > well? If so, why? > > You have to first install the CA chain using ipa-cacert-manage > install /path/to/file. > > Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. > > Apologies for shouting but if you fail to do this step then any > non-updated machines may not trust the new IPA Apache cert and that > would be bad. > > Assuming the chain they provided is complete that should resolve the > ipa-server-certinstall issue. > > rob > > > > > NO > > > > Regards > > Sai > > > > > > > > -----Original Message----- > > From: Polavarapu Manideep Sai via FreeIPA-users > > <[email protected] > <mailto:[email protected]>> > > Sent: 06 July 2023 22:28 > > To: Rob Crittenden <[email protected] > <mailto:[email protected]>>; FreeIPA users list > > <[email protected] > <mailto:[email protected]>> > > Cc: Polavarapu Manideep Sai <[email protected] > <mailto:[email protected]>> > > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates > > for HTTP or LDAP > > > > > > CAUTION. This email originated from outside the organization. > Please exercise caution before clicking on links or attachments in > case of suspicion or unknown senders. > > > > > > > > > > Hi Rob, > > > > Thanks for the reply, Here are the errors up on including .pem , > > please let us know if more details required on this > > > > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key > gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: > > > > Enter private key unlock password: > > > > Peer's certificate issuer is not trusted > ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not > recognized.). Please run ipa-cacert-manage install and > ipa-certupdate to install the CA certificate. > > The ipa-server-certinstall command failed. > > > > ====================================================================== > > ======= Tried to run ipa-cacert-manage install > > > > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem > Installing CA certificate, please wait Not a valid CA certificate: > not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting > guide) The ipa-cacert-manage command failed. > > [root@ Apache]# > > > > ==================================================== > > > > > > [root@ Apache]# > > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias > > > > Certificate Nickname Trust > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > Server-Cert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > caSigningCert cert-pki-ca CTu,Cu,Cu > > [root@ Apache]# > > > > > > [root@ Apache]# certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname Trust > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA > CT,C,C > > [root@ Apache]# > > [root@ Apache]# > > > > > > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > > > > Certificate Nickname Trust > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA > CT,C,C > > [root@ Apache]# > > > > =========================================================== > > > > > > > > Regards > > Sai > > > > -----Original Message----- > > From: Rob Crittenden <[email protected] > <mailto:[email protected]>> > > Sent: 06 July 2023 20:55 > > To: FreeIPA users list <[email protected] > <mailto:[email protected]>> > > Cc: Polavarapu Manideep Sai <[email protected] > <mailto:[email protected]>> > > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates > > for HTTP or LDAP > > > > > > CAUTION. This email originated from outside the organization. > Please exercise caution before clicking on links or attachments in > case of suspicion or unknown senders. > > > > > > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: > >> Hi Team, > >> > >> > >> > >> I have generated central.csr and central.key in my ipa server and > >> shared this central.csr to third-party certificate authority and i > >> got certificates from certificate authority with two directories one > >> as apache directory and it's certificates are 1f1f7ab616938168.crt, > >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory > >> with tomcat name and its certficates are 1f1f7ab616938168.crt, > >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i > >> want to install these certficates in my ipa server can you please > >> guide on the same ? > > > > The process you describe is a little hard to follow. You > submitted a single CSR and got two certficates back? What does > "tomcat name" mean? > > Is it using a different key? Do you intend on replacing the server > certificate for the CA as well? If so, why? > > > >> > >> I tried this, but getting the below error, can you please share the > >> steps to install this SSL certficates > >> > >> > >> > >> [root@ Apache]# ipa --version > >> > >> VERSION: 4.5.0, API_VERSION: 2.228 > >> > >> > >> > >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt > >> > >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key > >> gd_bundle-g2-g1.crt > >> > >> Directory Manager password: > >> > >> > >> > >> Enter private key unlock password: > >> > >> > >> > >> No matching certificate found for private key from central.key > > > > You didn't include the server certificate file you got, ex. > > 1f1f7ab616938168.pem > > > > rob > > > > > > ________________________________ > > > > DISCLAIMER: The information in this message is confidential and > may be legally privileged. It is intended solely for the addressee. > Access to this message by anyone else is unauthorized. If you are > not the intended recipient, any disclosure, copying, or distribution > of the message, or any action or omission taken by you in reliance > on it, is prohibited and may be unlawful. Please immediately contact > the sender if you have received this message in error. Further, this > e-mail may contain viruses and all reasonable precaution to minimize > the risk arising there from is taken by OnMobile. OnMobile is not > liable for any damage sustained by you as a result of any virus in > this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > > Thank you - OnMobile Global Limited. > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > > To unsubscribe send an email to > > [email protected] > <mailto:[email protected]> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > ahosted.org <http://ahosted.org> Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > ________________________________ > > > > DISCLAIMER: The information in this message is confidential and > may be legally privileged. It is intended solely for the addressee. > Access to this message by anyone else is unauthorized. If you are > not the intended recipient, any disclosure, copying, or distribution > of the message, or any action or omission taken by you in reliance > on it, is prohibited and may be unlawful. Please immediately contact > the sender if you have received this message in error. Further, this > e-mail may contain viruses and all reasonable precaution to minimize > the risk arising there from is taken by OnMobile. OnMobile is not > liable for any damage sustained by you as a result of any virus in > this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > > Thank you - OnMobile Global Limited. > > > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may > be legally privileged. It is intended solely for the addressee. > Access to this message by anyone else is unauthorized. If you are > not the intended recipient, any disclosure, copying, or distribution > of the message, or any action or omission taken by you in reliance > on it, is prohibited and may be unlawful. Please immediately contact > the sender if you have received this message in error. Further, this > e-mail may contain viruses and all reasonable precaution to minimize > the risk arising there from is taken by OnMobile. OnMobile is not > liable for any damage sustained by you as a result of any virus in > this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > ------------------------------------------------------------------------ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to > this message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or > any action or omission taken by you in reliance on it, is prohibited and > may be unlawful. Please immediately contact the sender if you have > received this message in error. Further, this e-mail may contain viruses > and all reasonable precaution to minimize the risk arising there from is > taken by OnMobile. OnMobile is not liable for any damage sustained by > you as a result of any virus in this e-mail. All applicable virus checks > should be carried out by you before opening this e-mail or any > attachment thereto. > Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
