Polavarapu Manideep Sai wrote: > Hi Rob, > > I am using VERSION: 4.5.0, API_VERSION: 2.228, so couldn't possible to use > ipa-cacert-manage list > > Please let me know if more details required on this
You'll need to try removing it manually using ldapdelete. The entries are stored in cn=certificates,cn=ipa,cn=etc,$SUFFIX. $ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=test ... cn: EXAMPLE.TEST IPA CA ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.TEST ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.TEST;1 ... These attributes should help you identify the right entry to remove. rob > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: 07 July 2023 21:26 > To: Polavarapu Manideep Sai <[email protected]>; Florence > Blanc-Renaud <[email protected]>; FreeIPA users list > <[email protected]> > Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for > HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise > caution before clicking on links or attachments in case of suspicion or > unknown senders. > > > > > Polavarapu Manideep Sai wrote: >> Hi Florence, >> >> >> >> As per your suggestion, I have done the same >> >> >> >> This crt gd_bundle-g2-g1.crt having multiple certificates i.e. 3 >> certificates[ 1^st .crt, 2^nd .crt and 3^rd .crt] , installed using >> below commands and also executed >> >> >> >> >> >> ipa-cacert-manage install -t CT,C,C 1st.crt [ It was failed ] >> >> ipa-cacert-manage install -t CT,C,C 2nd.crt [ it was successful] >> >> ipa-cacert-manage install -t CT,C,C 3rd.crt [ it was successful] >> >> ipa-cacert-manage -p XXXX Server-Cert -t C,, install >> /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt [it was >> successful] >> >> >> >> >> >> I executed this, and certificates got installed into /etc/httpd/alias/ >> , /etc/dirsrv/slapd-IPA-DOMAIN-COM and /etc/pki/pki-tomcat/alias/ >> databases as shown below >> >> >> >> Can you see the error during the ipa-certupdate , /usr/bin/certutil >> commands returned non zero codes >> >> >> >> >> >> [root@central ~]# >> >> [root@central ~]# ipa-cacert-manage -p XXXX Server-Cert -t C,, install >> /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt >> >> Installing CA certificate, please wait >> >> CA certificate successfully installed >> >> The ipa-cacert-manage command was successful >> >> [root@central ~]# >> >> [root@central ~]# >> >> >> >> [root@central ~]# >> >> [root@central ~]# >> >> [root@central ~]# certutil -L -d /etc/httpd/alias/ >> >> >> >> Certificate Nickname Trust >> Attributes >> >> >> SSL,S/MIME,JAR/XPI >> >> >> >> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, >> Inc.,C=US CT,C,C >> >> Server-Cert u,u,u >> >> IPA.DOMAIN.COM IPA CA CT,C,C >> >> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, >> Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C >> >> [root@central ~]# >> >> [root@central ~]# >> >> >> >> [root@central ~]# >> >> [root@central ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-COM >> >> >> >> Certificate Nickname Trust >> Attributes >> >> >> SSL,S/MIME,JAR/XPI >> >> >> >> Server-Cert u,u,u >> >> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, >> Inc.,C=US CT,C,C >> >> IPA.DOMAIN.COM IPA CA CT,C,C >> >> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, >> Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C >> >> [root@central ~]# >> >> [root@central ~]# >> >> >> >> >> >> [root@central ~]# ipa-certupdate >> >> >> >> trying https://central.ipa.DOMAIN.com/ipa/json >> >> [try 1]: Forwarding 'ca_is_enabled' to json server >> 'https://central.ipa.DOMAIN.com/ipa/json' >> >> [try 1]: Forwarding 'ca_find/1' to json server >> 'https://central.ipa.DOMAIN.com/ipa/json' >> >> failed to update Server-Cert in /etc/dirsrv/slapd-IPA-DOMAIN-COM: >> Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-DOMAIN-COM -A -n >> Server-Cert -t C,, -f /etc/dirsrv/slapd-IPA-DOMAIN-COM/pwdfile.txt' >> returned non-zero exit status 255 >> >> failed to update Server-Cert in /etc/httpd/alias: Command >> '/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t C,, -f >> /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 >> >> Systemwide CA database updated. >> >> Systemwide CA database updated. >> >> The ipa-certupdate command was successful > > You apparently added the cert/nickname Server-Cert as a CA certificate with > ipa-cacert-manage which is conflicting with the real server certificate > during ipa-certupdate. > > What version of IPA do you have? If it's reasonably up-to-date you can see > what you have installed using: ipa-cacert-manage list. > > rob > >> >> >> >> >> >> Regards >> >> Sai >> >> >> >> >> >> *From:*Florence Blanc-Renaud <[email protected]> >> *Sent:* 07 July 2023 11:19 >> *To:* FreeIPA users list <[email protected]> >> *Cc:* Rob Crittenden <[email protected]>; Polavarapu Manideep Sai >> <[email protected]> >> *Subject:* Re: [Freeipa-users] Re: Help-Installing Third-Party >> Certificates for HTTP or LDAP >> >> >> >> >> >> *CAUTION.*This email originated from outside the organization. Please >> exercise caution before clicking on links or attachments in case of >> suspicion or unknown senders. >> >> >> >> Hi, >> >> >> >> On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via >> FreeIPA-users <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Rob, >> >> As mentioned in my previous response, here is the error upon >> executing ipa-cacert-manage install >> Please let me know if any other details required on this >> >> >> [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt >> Installing CA certificate, please wait >> Not a valid CA certificate: not a CA certificate (visit >> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) >> The ipa-cacert-manage command failed. >> >> >> >> When you received the certs from the external CA authority, you >> received multiple files. I'm guessing that 1f1f7ab616938168.crt >> contains your server certificate and that's the file you will provide >> to the ipa-server-certinstall command. >> >> There is another file, gd_bundle-g2-g1.crt, which probably contains >> the external CA chain. This is the file you need to provide to >> ipa-cacert-manage install tool. Please don't forget to specify the >> trust flags for this command: >> >> ipa-cacert-manage install -t CT,C,C <CA cert> >> >> Also note, if the crt file contains multiple certificates, you will >> have to separate them and install them one by one with ipa-cacert-manage. >> >> >> >> Hope this helps, >> >> flo >> >> >> >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem >> Installing CA certificate, please wait >> Not a valid CA certificate: not a CA certificate (visit >> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) >> The ipa-cacert-manage command failed. >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# >> [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt >> Installing CA certificate, please wait >> (SEC_ERROR_NO_TOKEN) The security card or token does not exist, >> needs to be initialized, or has been removed. >> The ipa-cacert-manage command failed. >> >> Regards >> ManidepSai >> >> >> -----Original Message----- >> From: Rob Crittenden <[email protected] <mailto:[email protected]>> >> Sent: 07 July 2023 00:16 >> To: Polavarapu Manideep Sai <[email protected] >> <mailto:[email protected]>>; FreeIPA users list >> <[email protected] >> <mailto:[email protected]>> >> Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party >> Certificates for HTTP or LDAP >> >> >> CAUTION. This email originated from outside the organization. Please >> exercise caution before clicking on links or attachments in case of >> suspicion or unknown senders. >> >> >> >> >> Polavarapu Manideep Sai wrote: >> > Here are the answers for the questions asked >> > >> > >> > 1.You submitted a single CSR and got two certficates back? >> > Yes, I have shared single CSR and got two certificates back. >> > >> > 2. What does "tomcat name" mean? Is it using a different key? >> > >> > Here are the certificate details: >> > >> > Received these two zip files >> > >> > 1. ipa.example.com_Apache.zip >> > 2. ipa.example.com_TOMCAT.zip >> > >> > [root@ Certificates]# tree >> > . >> > ├── Apache >> > │ ├── 1f1f7ab616938168.crt >> > │ ├── 1f1f7ab616938168.pem >> > │ └── gd_bundle-g2-g1.crt >> > └── Tomcat >> > ├── 1f1f7ab616938168.crt >> > ├── 1f1f7ab616938168.pem >> > ├── gd_bundle-g2-g1.crt >> > └── gdig2.crt.pem >> > >> > >> > 3. Do you intend on replacing the server certificate for the CA as >> well? If so, why? >> >> You have to first install the CA chain using ipa-cacert-manage >> install /path/to/file. >> >> Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. >> >> Apologies for shouting but if you fail to do this step then any >> non-updated machines may not trust the new IPA Apache cert and that >> would be bad. >> >> Assuming the chain they provided is complete that should resolve the >> ipa-server-certinstall issue. >> >> rob >> >> > >> > NO >> > >> > Regards >> > Sai >> > >> > >> > >> > -----Original Message----- >> > From: Polavarapu Manideep Sai via FreeIPA-users >> > <[email protected] >> <mailto:[email protected]>> >> > Sent: 06 July 2023 22:28 >> > To: Rob Crittenden <[email protected] >> <mailto:[email protected]>>; FreeIPA users list >> > <[email protected] >> <mailto:[email protected]>> >> > Cc: Polavarapu Manideep Sai <[email protected] >> <mailto:[email protected]>> >> > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates >> > for HTTP or LDAP >> > >> > >> > CAUTION. This email originated from outside the organization. >> Please exercise caution before clicking on links or attachments in >> case of suspicion or unknown senders. >> > >> > >> > >> > >> > Hi Rob, >> > >> > Thanks for the reply, Here are the errors up on including .pem , >> > please let us know if more details required on this >> > >> > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key >> gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: >> > >> > Enter private key unlock password: >> > >> > Peer's certificate issuer is not trusted >> ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not >> recognized.). Please run ipa-cacert-manage install and >> ipa-certupdate to install the CA certificate. >> > The ipa-server-certinstall command failed. >> > >> > ====================================================================== >> > ======= Tried to run ipa-cacert-manage install >> > >> > >> > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem >> Installing CA certificate, please wait Not a valid CA certificate: >> not a CA certificate (visit >> http://www.freeipa.org/page/Troubleshooting for troubleshooting >> guide) The ipa-cacert-manage command failed. >> > [root@ Apache]# >> > >> > ==================================================== >> > >> > >> > [root@ Apache]# >> > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias >> > >> > Certificate Nickname Trust >> Attributes >> > >> > SSL,S/MIME,JAR/XPI >> > >> > ocspSigningCert cert-pki-ca u,u,u >> > subsystemCert cert-pki-ca u,u,u >> > Server-Cert cert-pki-ca u,u,u >> > auditSigningCert cert-pki-ca u,u,Pu >> > caSigningCert cert-pki-ca CTu,Cu,Cu >> > [root@ Apache]# >> > >> > >> > [root@ Apache]# certutil -L -d /etc/httpd/alias/ >> > >> > Certificate Nickname Trust >> Attributes >> > >> > SSL,S/MIME,JAR/XPI >> > >> > Server-Cert u,u,u >> > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA >> CT,C,C >> > [root@ Apache]# >> > [root@ Apache]# >> > >> > >> > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ >> > >> > Certificate Nickname Trust >> Attributes >> > >> > SSL,S/MIME,JAR/XPI >> > >> > Server-Cert u,u,u >> > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA >> CT,C,C >> > [root@ Apache]# >> > >> > =========================================================== >> > >> > >> > >> > Regards >> > Sai >> > >> > -----Original Message----- >> > From: Rob Crittenden <[email protected] >> <mailto:[email protected]>> >> > Sent: 06 July 2023 20:55 >> > To: FreeIPA users list <[email protected] >> <mailto:[email protected]>> >> > Cc: Polavarapu Manideep Sai <[email protected] >> <mailto:[email protected]>> >> > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates >> > for HTTP or LDAP >> > >> > >> > CAUTION. This email originated from outside the organization. >> Please exercise caution before clicking on links or attachments in >> case of suspicion or unknown senders. >> > >> > >> > >> > >> > Polavarapu Manideep Sai via FreeIPA-users wrote: >> >> Hi Team, >> >> >> >> >> >> >> >> I have generated central.csr and central.key in my ipa server and >> >> shared this central.csr to third-party certificate authority and i >> >> got certificates from certificate authority with two directories one >> >> as apache directory and it's certificates are 1f1f7ab616938168.crt, >> >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory >> >> with tomcat name and its certficates are 1f1f7ab616938168.crt, >> >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i >> >> want to install these certficates in my ipa server can you please >> >> guide on the same ? >> > >> > The process you describe is a little hard to follow. You >> submitted a single CSR and got two certficates back? What does >> "tomcat name" mean? >> > Is it using a different key? Do you intend on replacing the server >> certificate for the CA as well? If so, why? >> > >> >> >> >> I tried this, but getting the below error, can you please share the >> >> steps to install this SSL certficates >> >> >> >> >> >> >> >> [root@ Apache]# ipa --version >> >> >> >> VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> >> >> >> >> >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt >> >> >> >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key >> >> gd_bundle-g2-g1.crt >> >> >> >> Directory Manager password: >> >> >> >> >> >> >> >> Enter private key unlock password: >> >> >> >> >> >> >> >> No matching certificate found for private key from central.key >> > >> > You didn't include the server certificate file you got, ex. >> > 1f1f7ab616938168.pem >> > >> > rob >> > >> > >> > ________________________________ >> > >> > DISCLAIMER: The information in this message is confidential and >> may be legally privileged. It is intended solely for the addressee. >> Access to this message by anyone else is unauthorized. If you are >> not the intended recipient, any disclosure, copying, or distribution >> of the message, or any action or omission taken by you in reliance >> on it, is prohibited and may be unlawful. Please immediately contact >> the sender if you have received this message in error. Further, this >> e-mail may contain viruses and all reasonable precaution to minimize >> the risk arising there from is taken by OnMobile. OnMobile is not >> liable for any damage sustained by you as a result of any virus in >> this e-mail. All applicable virus checks should be carried out by >> you before opening this e-mail or any attachment thereto. >> > Thank you - OnMobile Global Limited. >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> > To unsubscribe send an email to >> > [email protected] >> <mailto:[email protected]> >> > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: >> > https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> > https://lists.fedorahosted.org/archives/list/[email protected] >> > ahosted.org <http://ahosted.org> Do not reply to spam, report it: >> > https://pagure.io/fedora-infrastructure/new_issue >> > >> > ________________________________ >> > >> > DISCLAIMER: The information in this message is confidential and >> may be legally privileged. It is intended solely for the addressee. >> Access to this message by anyone else is unauthorized. If you are >> not the intended recipient, any disclosure, copying, or distribution >> of the message, or any action or omission taken by you in reliance >> on it, is prohibited and may be unlawful. Please immediately contact >> the sender if you have received this message in error. Further, this >> e-mail may contain viruses and all reasonable precaution to minimize >> the risk arising there from is taken by OnMobile. OnMobile is not >> liable for any damage sustained by you as a result of any virus in >> this e-mail. All applicable virus checks should be carried out by >> you before opening this e-mail or any attachment thereto. >> > Thank you - OnMobile Global Limited. >> > >> >> >> ________________________________ >> >> DISCLAIMER: The information in this message is confidential and may >> be legally privileged. It is intended solely for the addressee. >> Access to this message by anyone else is unauthorized. If you are >> not the intended recipient, any disclosure, copying, or distribution >> of the message, or any action or omission taken by you in reliance >> on it, is prohibited and may be unlawful. Please immediately contact >> the sender if you have received this message in error. Further, this >> e-mail may contain viruses and all reasonable precaution to minimize >> the risk arising there from is taken by OnMobile. OnMobile is not >> liable for any damage sustained by you as a result of any virus in >> this e-mail. All applicable virus checks should be carried out by >> you before opening this e-mail or any attachment thereto. >> Thank you - OnMobile Global Limited. >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to >> [email protected] >> <mailto:[email protected]> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >> >> ---------------------------------------------------------------------- >> -- >> >> DISCLAIMER: The information in this message is confidential and may be >> legally privileged. It is intended solely for the addressee. Access to >> this message by anyone else is unauthorized. If you are not the >> intended recipient, any disclosure, copying, or distribution of the >> message, or any action or omission taken by you in reliance on it, is >> prohibited and may be unlawful. Please immediately contact the sender >> if you have received this message in error. Further, this e-mail may >> contain viruses and all reasonable precaution to minimize the risk >> arising there from is taken by OnMobile. OnMobile is not liable for >> any damage sustained by you as a result of any virus in this e-mail. >> All applicable virus checks should be carried out by you before >> opening this e-mail or any attachment thereto. >> Thank you - OnMobile Global Limited. > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all reasonable > precaution to minimize the risk arising there from is taken by OnMobile. > OnMobile is not liable for any damage sustained by you as a result of any > virus in this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
