I installed the 1.2.2-1 version from the test repo. I get really close to the end, but it is still bombing when trying to set the trust permissions on the web server cert. For some reason the final cert in the chain did not get installed into the /etc/httpd/alias directory. All worked fine for the directory server.

root        : DEBUG      [6/9]: Setting up ssl
 [6/9]: Setting up ssl
root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : INFO root : INFO root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL

root : INFO root : INFO Key(shrouded):
   Friendly Name: Server-Cert

   Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
       Parameters:
           Salt:
               60:9a:79:e9:17:26:64:78:84:fc:4a:99:8f:19:ad:da
           Iteration Count: 1 (0x1)
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 769 (0x301)
       Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy
           Group, Inc.",C=US"
       Validity:
           Not Before: Thu Nov 16 01:54:37 2006
           Not After : Mon Nov 16 01:54:37 2026
Subject: "serialNumber=07969287,CN=Go Daddy Secure Certification Auth ority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.co
           m, Inc.",L=Scottsdale,ST=Arizona,C=US"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:59:01:
                   5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:2a:b8:c9:
                   33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:30:14:b6:b2:
                   87:c3:3d:95:54:04:9e:df:99:dd:0b:25:1e:21:de:65:
                   29:7e:35:a8:a9:54:eb:f6:f7:32:39:d4:26:55:95:ad:
                   ef:fb:fe:58:86:d7:9e:f4:00:8d:8c:2a:0c:bd:42:04:
                   ce:a7:3f:04:f6:ee:80:f2:aa:ef:52:a1:69:66:da:be:
                   1a:ad:5d:da:2c:66:ea:1a:6b:bb:e5:1a:51:4a:00:2f:
                   48:c7:98:75:d8:b9:29:c8:ee:f8:66:6d:0a:9c:b3:f3:
                   fc:78:7c:a2:f8:a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:
                   25:2e:9c:a8:ed:12:65:6e:6a:f6:12:44:53:70:30:95:
                   c3:9c:2b:58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:
                   4c:27:58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:
                   81:36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
                   67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:fd:
                   16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:0d:4f
               Exponent: 65537 (0x10001)
       Signed Extensions:
           Name: Certificate Subject Key ID
           Data:
               fd:ac:61:32:93:6c:45:d6:e2:ee:85:5f:9a:ba:e7:76:
               99:68:cc:e7

           Name: Certificate Authority Key Identifier
           Key ID:
               d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd:
               a8:6a:d4:e3

           Name: Certificate Basic Constraints
           Critical: True
           Data: Is a CA with a maximum path length of 0.

           Name: Authority Information Access
           Method: PKIX Online Certificate Status Protocol
           Location:
               URI: "http://ocsp.godaddy.com";

           Name: CRL Distribution Points
           URI: "http://certificates.godaddy.com/repository/gdroot.crl";

           Name: Certificate Policies
           Data:
               Policy Name: Certificate Policies AnyPolicy
                   Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data: "http://certificates.godaddy.com/r
                       epository"

           Name: Certificate Key Usage
           Critical: True
           Usages: Certificate Signing
                   CRL Signing

   Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
   Signature:
       d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:
       50:8e:15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:
       90:6b:33:d9:96:f0:94:56:a5:13:30:05:3c:85:32:21:
       7b:c9:c7:0a:a8:24:a4:90:de:46:d3:25:23:14:03:67:
       c2:10:d6:6f:0f:5d:7b:7a:cc:9f:c5:58:2a:c1:c4:9e:
       21:a8:5a:f3:ac:a4:46:f3:9e:e4:63:cb:2f:90:a4:29:
       29:01:d9:72:2c:29:df:37:01:27:bc:4f:ee:68:d3:21:
       8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:cc:59:
       0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
       45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:
       3e:b9:74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:
       84:87:7f:75:06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:
       12:71:f4:e8:f1:51:40:22:28:49:e0:1d:4b:87:a8:34:
       cc:06:a2:dd:12:5a:d1:86:36:64:03:35:6f:6f:77:6e:
       eb:f2:85:50:98:5e:ab:03:53:ad:91:23:63:1f:16:9c:
       cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:35:95:53:ee
   Fingerprint (MD5):
       D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
   Fingerprint (SHA1):
       7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44

   Friendly Name: Go Daddy Secure Certification Authority

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 269 (0x10d)
       Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert
            Validation Network"
       Validity:
           Not Before: Tue Jun 29 17:06:20 2004
           Not After : Sat Jun 29 17:06:20 2024
Subject: "OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy
            Group, Inc.",C=US"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:ea:be:
                   dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:5e:77:bb:
                   ed:9b:49:e9:70:80:3d:56:18:63:08:6f:da:f2:cc:d0:
                   3f:7f:02:54:22:54:10:d8:b2:81:d4:c0:75:3d:4b:7f:
                   c7:77:c3:3e:78:ab:1a:03:b5:20:6b:2f:6a:2b:b1:c5:
                   88:7e:c4:bb:1e:b0:c1:d8:45:27:6f:aa:37:58:f7:87:
                   26:d7:d8:2d:f6:a9:17:b7:1f:72:36:4e:a6:17:3f:65:
                   98:92:db:2a:6e:5d:a2:fe:88:e0:0b:de:7f:e5:8d:15:
                   e1:eb:cb:3a:d5:e2:12:a2:13:2d:d8:8e:af:5f:12:3d:
                   a0:08:05:08:b6:5c:a5:65:38:04:45:99:1e:a3:60:60:
                   74:c5:41:a5:72:62:1b:62:c5:1f:6f:5f:1a:42:be:02:
                   51:65:a8:ae:23:18:6a:fc:78:03:a9:4d:7f:80:c3:fa:
                   ab:5a:fc:a1:40:a4:ca:19:16:fe:b2:c8:ef:5e:73:0d:
                   ee:77:bd:9a:f6:79:98:bc:b1:07:67:a2:15:0d:dd:a0:
                   58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:11:
                   7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:1b:af
               Exponent: 3 (0x3)
       Signed Extensions:
           Name: Certificate Subject Key ID
           Data:
               d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd:
               a8:6a:d4:e3

           Name: Certificate Authority Key Identifier
           Issuer:
Directory Name: "e=i...@valicert.com,CN=http://www.valicert.c om/,OU=ValiCert Class 2 Policy Validation Authority,O="Va
                   liCert, Inc.",L=ValiCert Validation Network"
           Serial Number: 1 (0x1)

           Name: Certificate Basic Constraints
           Critical: True
           Data: Is a CA with no maximum path length.

           Name: Authority Information Access
           Method: PKIX Online Certificate Status Protocol
           Location:
               URI: "http://ocsp.godaddy.com";

           Name: CRL Distribution Points
           URI: "http://certificates.godaddy.com/repository/root.crl";

           Name: Certificate Policies
           Data:
               Policy Name: Certificate Policies AnyPolicy
                   Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data: "http://certificates.godaddy.com/r
                       epository"

           Name: Certificate Key Usage
           Critical: True
           Usages: Certificate Signing
                   CRL Signing

   Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
   Signature:
       b5:40:f9:a7:1d:f6:ea:fe:a4:1a:42:5a:44:f7:15:d4:
       85:46:89:c0:be:9e:e3:e3:eb:c5:e3:58:89:8f:92:9f:
       57:a8:71:2c:48:d1:81:b2:79:1f:ac:06:35:19:b0:4e:
       0e:58:1b:14:b3:98:81:d1:04:1e:c8:07:c9:83:9f:78:
       44:0a:18:0b:98:dc:76:7a:65:0d:0d:6d:80:c4:0b:01:
       1c:cb:ad:47:3e:71:be:77:4b:cc:06:77:d0:f4:56:6b:
       1f:4b:13:9a:14:8a:88:23:a8:51:f0:83:4c:ab:35:bf:
       46:7e:39:dc:75:a4:ae:e8:29:fb:ef:39:8f:4f:55:67
   Fingerprint (MD5):
       82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
   Fingerprint (SHA1):
       DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62

   Friendly Name: Go Daddy Class 2 Certification Authority

Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 1 (0x1)
       Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert
            Validation Network"
       Validity:
           Not Before: Sat Jun 26 00:19:54 1999
           Not After : Wed Jun 26 00:19:54 2019
Subject: "e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCer
           t Validation Network"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:0e:f9:
                   ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:98:36:3c:
                   5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:25:42:09:24:
                   6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:d6:7d:5a:59:a9:
                   65:d4:49:13:2d:24:4d:1c:50:6f:b5:c1:85:54:3b:fe:
                   71:e4:d3:5c:42:f9:80:e0:91:1a:0a:5b:39:36:67:f3:
                   3f:55:7c:1b:3f:b4:5f:64:73:34:e3:b4:12:bf:87:64:
                   f8:da:12:ff:37:27:c1:b3:43:bb:ef:7b:6e:2e:69:f7
               Exponent: 65537 (0x10001)
   Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
   Signature:
       3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:
       c8:3e:a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:
       18:00:8e:4d:bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:
       41:d9:0f:34:ee:21:81:19:a0:32:49:28:f4:c4:8e:56:
       d5:52:33:fd:50:d5:7e:99:6c:03:e4:c9:4c:fc:cb:6c:
       ab:66:b3:4a:21:8c:e5:b5:0c:32:3e:10:b2:cc:6c:a1:
       dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:0e:4a:b7:3f:
       3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:43:dd
   Fingerprint (MD5):
       A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
   Fingerprint (SHA1):
       31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6

   Friendly Name: valicert.com

Certificate(has private key):
   Data:
       Version: 3 (0x2)
       Serial Number:
           04:71:37:7b:34:f8:99
       Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "serialNumber=07969287,CN=Go Daddy Secure Certification Autho rity,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com
           , Inc.",L=Scottsdale,ST=Arizona,C=US"


...... Details about my server key removed .........


root : INFO root : INFO root : INFO root : INFO root : INFO root : INFO root : INFO certutil: could not find certificate named "valicert.com": security library: bad database.

creation of replica failed: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n valicert.com -t CT,CT,' returned non-zero exit status 255 root : DEBUG Command '/usr/bin/certutil -d /etc/httpd/alias -M -n valicert.com -t CT,CT,' returned non-zero exit status 255
 File "/usr/sbin/ipa-replica-install", line 294, in <module>
   main()

 File "/usr/sbin/ipa-replica-install", line 259, in main
   install_http(config)

 File "/usr/sbin/ipa-replica-install", line 146, in install_http
http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info)

File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py", line 81, in create_instance
   self.start_creation("Configuring the web interface")

File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation
   method()

File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py", line 160, in __setup_ssl ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 476, in create_from_pkcs12
   self.trust_root_cert(nickname)

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 390, in trust_root_cert
   "-t", "CT,CT,"])

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 133, in run_certutil
   return ipautil.run(new_args, stdin)

 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))

[r...@replica ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
Go Daddy Secure Certification Authority                      CT,C,
Go Daddy Class 2 Certification Authority                     CT,C,




Rob Crittenden wrote:
James Roman wrote:
OK I am still running into a similar problem when installing the replica server. It appears that the problem stems from the chained CA certificates from GoDaddy again. On the replica server, all the certs appear to be installed properly. The script is choking when modifying the trust arguments. It looks like it is grabbing the certificate name from the wrong place again.

This should be fixed in ipa v1.2.2 which is in the Fedora updates-testing repo.

rob



     ipa-replica-install Error:

NOTE: Take a look at where the quotes are showing up in the "certutil -d" lines.

root        : DEBUG      [10/17]: configuring ssl for ds instance
 [10/17]: configuring ssl for ds instance
root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : INFO root : INFO root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL

root : INFO root : INFO root : INFO certutil: could not find certificate named "valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.": The security card or token does not exist, needs to be initialized, or has been removed.

creation of replica failed: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255 root : DEBUG Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255
 File "/usr/sbin/ipa-replica-install", line 294, in <module>
   main()

 File "/usr/sbin/ipa-replica-install", line 244, in main
   ds = install_ds(config)

 File "/usr/sbin/ipa-replica-install", line 115, in install_ds
ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info)

File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 193, in create_instance
   self.start_creation("Configuring directory server:")

File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation
   method()

File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 345, in __enable_ssl
   ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403, in create_from_pkcs12
   self.trust_root_cert(nickname)

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, in trust_root_cert
   "-t", "CT,CT,"])

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil
   return ipautil.run(new_args, stdin)

 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))


     Replica server Cert DB:

[r...@replica slapd-REALM-COM]# certutil -L -d .

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
Go Daddy Secure Certification Authority ,, Go Daddy Class 2 Certification Authority ,, valicert.com ,,

Rob Crittenden wrote:
James Roman wrote:
Can anyone elaborate on the options for the ipa-replica-prepare command? I have a third party signed certificate for both my master and replica server. Am I supposed to provide the PKCS12 file for the master server or the replica? If it is looking for the master server, I really don't want the script generating a new certificate for the replica. I already have one. Any way to by-pass that option?

The PKCS#12 file(s) are for the replica server. If you provide both then IPA will not attempt to generate one.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to