I installed the 1.2.2-1 version from the test repo. I get really close
to the end, but it is still bombing when trying to set the trust
permissions on the web server cert. For some reason the final cert in
the chain did not get installed into the /etc/httpd/alias directory. All
worked fine for the directory server.
root : DEBUG [6/9]: Setting up ssl
[6/9]: Setting up ssl
root : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
root : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
root : INFO
root : INFO
root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL
root : INFO
root : INFO Key(shrouded):
Friendly Name: Server-Cert
Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
Parameters:
Salt:
60:9a:79:e9:17:26:64:78:84:fc:4a:99:8f:19:ad:da
Iteration Count: 1 (0x1)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 769 (0x301)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy
Group, Inc.",C=US"
Validity:
Not Before: Thu Nov 16 01:54:37 2006
Not After : Mon Nov 16 01:54:37 2026
Subject: "serialNumber=07969287,CN=Go Daddy Secure Certification
Auth
ority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.co
m, Inc.",L=Scottsdale,ST=Arizona,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:59:01:
5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:2a:b8:c9:
33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:30:14:b6:b2:
87:c3:3d:95:54:04:9e:df:99:dd:0b:25:1e:21:de:65:
29:7e:35:a8:a9:54:eb:f6:f7:32:39:d4:26:55:95:ad:
ef:fb:fe:58:86:d7:9e:f4:00:8d:8c:2a:0c:bd:42:04:
ce:a7:3f:04:f6:ee:80:f2:aa:ef:52:a1:69:66:da:be:
1a:ad:5d:da:2c:66:ea:1a:6b:bb:e5:1a:51:4a:00:2f:
48:c7:98:75:d8:b9:29:c8:ee:f8:66:6d:0a:9c:b3:f3:
fc:78:7c:a2:f8:a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:
25:2e:9c:a8:ed:12:65:6e:6a:f6:12:44:53:70:30:95:
c3:9c:2b:58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:
4c:27:58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:
81:36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:fd:
16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:0d:4f
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
fd:ac:61:32:93:6c:45:d6:e2:ee:85:5f:9a:ba:e7:76:
99:68:cc:e7
Name: Certificate Authority Key Identifier
Key ID:
d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd:
a8:6a:d4:e3
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with a maximum path length of 0.
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ocsp.godaddy.com";
Name: CRL Distribution Points
URI: "http://certificates.godaddy.com/repository/gdroot.crl";
Name: Certificate Policies
Data:
Policy Name: Certificate Policies AnyPolicy
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data:
"http://certificates.godaddy.com/r
epository"
Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:
50:8e:15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:
90:6b:33:d9:96:f0:94:56:a5:13:30:05:3c:85:32:21:
7b:c9:c7:0a:a8:24:a4:90:de:46:d3:25:23:14:03:67:
c2:10:d6:6f:0f:5d:7b:7a:cc:9f:c5:58:2a:c1:c4:9e:
21:a8:5a:f3:ac:a4:46:f3:9e:e4:63:cb:2f:90:a4:29:
29:01:d9:72:2c:29:df:37:01:27:bc:4f:ee:68:d3:21:
8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:cc:59:
0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:
3e:b9:74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:
84:87:7f:75:06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:
12:71:f4:e8:f1:51:40:22:28:49:e0:1d:4b:87:a8:34:
cc:06:a2:dd:12:5a:d1:86:36:64:03:35:6f:6f:77:6e:
eb:f2:85:50:98:5e:ab:03:53:ad:91:23:63:1f:16:9c:
cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:35:95:53:ee
Fingerprint (MD5):
D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
Fingerprint (SHA1):
7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44
Friendly Name: Go Daddy Secure Certification Authority
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 269 (0x10d)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer:
"[email protected],CN=http://www.valicert.com/,OU=ValiCert
Class 2 Policy Validation Authority,O="ValiCert,
Inc.",L=ValiCert
Validation Network"
Validity:
Not Before: Tue Jun 29 17:06:20 2004
Not After : Sat Jun 29 17:06:20 2024
Subject: "OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy
Group, Inc.",C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:ea:be:
dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:5e:77:bb:
ed:9b:49:e9:70:80:3d:56:18:63:08:6f:da:f2:cc:d0:
3f:7f:02:54:22:54:10:d8:b2:81:d4:c0:75:3d:4b:7f:
c7:77:c3:3e:78:ab:1a:03:b5:20:6b:2f:6a:2b:b1:c5:
88:7e:c4:bb:1e:b0:c1:d8:45:27:6f:aa:37:58:f7:87:
26:d7:d8:2d:f6:a9:17:b7:1f:72:36:4e:a6:17:3f:65:
98:92:db:2a:6e:5d:a2:fe:88:e0:0b:de:7f:e5:8d:15:
e1:eb:cb:3a:d5:e2:12:a2:13:2d:d8:8e:af:5f:12:3d:
a0:08:05:08:b6:5c:a5:65:38:04:45:99:1e:a3:60:60:
74:c5:41:a5:72:62:1b:62:c5:1f:6f:5f:1a:42:be:02:
51:65:a8:ae:23:18:6a:fc:78:03:a9:4d:7f:80:c3:fa:
ab:5a:fc:a1:40:a4:ca:19:16:fe:b2:c8:ef:5e:73:0d:
ee:77:bd:9a:f6:79:98:bc:b1:07:67:a2:15:0d:dd:a0:
58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:11:
7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:1b:af
Exponent: 3 (0x3)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd:
a8:6a:d4:e3
Name: Certificate Authority Key Identifier
Issuer:
Directory Name:
"[email protected],CN=http://www.valicert.c
om/,OU=ValiCert Class 2 Policy Validation
Authority,O="Va
liCert, Inc.",L=ValiCert Validation Network"
Serial Number: 1 (0x1)
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ocsp.godaddy.com";
Name: CRL Distribution Points
URI: "http://certificates.godaddy.com/repository/root.crl";
Name: Certificate Policies
Data:
Policy Name: Certificate Policies AnyPolicy
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data:
"http://certificates.godaddy.com/r
epository"
Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
b5:40:f9:a7:1d:f6:ea:fe:a4:1a:42:5a:44:f7:15:d4:
85:46:89:c0:be:9e:e3:e3:eb:c5:e3:58:89:8f:92:9f:
57:a8:71:2c:48:d1:81:b2:79:1f:ac:06:35:19:b0:4e:
0e:58:1b:14:b3:98:81:d1:04:1e:c8:07:c9:83:9f:78:
44:0a:18:0b:98:dc:76:7a:65:0d:0d:6d:80:c4:0b:01:
1c:cb:ad:47:3e:71:be:77:4b:cc:06:77:d0:f4:56:6b:
1f:4b:13:9a:14:8a:88:23:a8:51:f0:83:4c:ab:35:bf:
46:7e:39:dc:75:a4:ae:e8:29:fb:ef:39:8f:4f:55:67
Fingerprint (MD5):
82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
Fingerprint (SHA1):
DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62
Friendly Name: Go Daddy Class 2 Certification Authority
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer:
"[email protected],CN=http://www.valicert.com/,OU=ValiCert
Class 2 Policy Validation Authority,O="ValiCert,
Inc.",L=ValiCert
Validation Network"
Validity:
Not Before: Sat Jun 26 00:19:54 1999
Not After : Wed Jun 26 00:19:54 2019
Subject:
"[email protected],CN=http://www.valicert.com/,OU=ValiCert
Class 2 Policy Validation Authority,O="ValiCert,
Inc.",L=ValiCer
t Validation Network"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:0e:f9:
ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:98:36:3c:
5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:25:42:09:24:
6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:d6:7d:5a:59:a9:
65:d4:49:13:2d:24:4d:1c:50:6f:b5:c1:85:54:3b:fe:
71:e4:d3:5c:42:f9:80:e0:91:1a:0a:5b:39:36:67:f3:
3f:55:7c:1b:3f:b4:5f:64:73:34:e3:b4:12:bf:87:64:
f8:da:12:ff:37:27:c1:b3:43:bb:ef:7b:6e:2e:69:f7
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:
c8:3e:a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:
18:00:8e:4d:bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:
41:d9:0f:34:ee:21:81:19:a0:32:49:28:f4:c4:8e:56:
d5:52:33:fd:50:d5:7e:99:6c:03:e4:c9:4c:fc:cb:6c:
ab:66:b3:4a:21:8c:e5:b5:0c:32:3e:10:b2:cc:6c:a1:
dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:0e:4a:b7:3f:
3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:43:dd
Fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
Fingerprint (SHA1):
31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
Friendly Name: valicert.com
Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number:
04:71:37:7b:34:f8:99
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "serialNumber=07969287,CN=Go Daddy Secure Certification
Autho
rity,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com
, Inc.",L=Scottsdale,ST=Arizona,C=US"
...... Details about my server key removed .........
root : INFO
root : INFO
root : INFO
root : INFO
root : INFO
root : INFO
root : INFO certutil: could not find certificate named
"valicert.com": security library: bad database.
creation of replica failed: Command '/usr/bin/certutil -d
/etc/httpd/alias -M -n valicert.com -t CT,CT,' returned non-zero exit
status 255
root : DEBUG Command '/usr/bin/certutil -d /etc/httpd/alias -M
-n valicert.com -t CT,CT,' returned non-zero exit status 255
File "/usr/sbin/ipa-replica-install", line 294, in <module>
main()
File "/usr/sbin/ipa-replica-install", line 259, in main
install_http(config)
File "/usr/sbin/ipa-replica-install", line 146, in install_http
http.create_instance(config.realm_name, config.host_name,
config.domain_name, False, pkcs12_info)
File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py",
line 81, in create_instance
self.start_creation("Configuring the web interface")
File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
139, in start_creation
method()
File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py",
line 160, in __setup_ssl
ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
passwd="")
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 476,
in create_from_pkcs12
self.trust_root_cert(nickname)
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 390,
in trust_root_cert
"-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 133,
in run_certutil
return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
raise CalledProcessError(p.returncode, ' '.join(args))
[r...@replica ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
Go Daddy Secure Certification Authority CT,C,
Go Daddy Class 2 Certification Authority CT,C,
Rob Crittenden wrote:
James Roman wrote:
OK I am still running into a similar problem when installing the
replica server. It appears that the problem stems from the chained CA
certificates from GoDaddy again. On the replica server, all the certs
appear to be installed properly. The script is choking when modifying
the trust arguments. It looks like it is grabbing the certificate
name from the wrong place again.
This should be fixed in ipa v1.2.2 which is in the Fedora
updates-testing repo.
rob
ipa-replica-install Error:
NOTE: Take a look at where the quotes are showing up in the "certutil
-d" lines.
root : DEBUG [10/17]: configuring ssl for ds instance
[10/17]: configuring ssl for ds instance
root : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
root : INFO root : INFO root : INFO
pk12util: PKCS12 IMPORT SUCCESSFUL
root : INFO root : INFO root : INFO
certutil: could not find certificate named "valicert.com"
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc.": The security card or
token does not exist, needs to be initialized, or has been removed.
creation of replica failed: Command '/usr/bin/certutil -d
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
non-zero exit status 255
root : DEBUG Command '/usr/bin/certutil -d
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
[[email protected],CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
non-zero exit status 255
File "/usr/sbin/ipa-replica-install", line 294, in <module>
main()
File "/usr/sbin/ipa-replica-install", line 244, in main
ds = install_ds(config)
File "/usr/sbin/ipa-replica-install", line 115, in install_ds
ds.create_instance(config.ds_user, config.realm_name,
config.host_name, config.domain_name, config.dirman_password,
pkcs12_info)
File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py",
line 193, in create_instance
self.start_creation("Configuring directory server:")
File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
139, in start_creation
method()
File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py",
line 345, in __enable_ssl
ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
403, in create_from_pkcs12
self.trust_root_cert(nickname)
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
322, in trust_root_cert
"-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
126, in run_certutil
return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
raise CalledProcessError(p.returncode, ' '.join(args))
Replica server Cert DB:
[r...@replica slapd-REALM-COM]# certutil -L -d .
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
Go Daddy Secure Certification Authority ,, Go
Daddy Class 2 Certification Authority ,,
valicert.com ,,
Rob Crittenden wrote:
James Roman wrote:
Can anyone elaborate on the options for the ipa-replica-prepare
command? I have a third party signed certificate for both my master
and replica server. Am I supposed to provide the PKCS12 file for
the master server or the replica? If it is looking for the master
server, I really don't want the script generating a new certificate
for the replica. I already have one. Any way to by-pass that option?
The PKCS#12 file(s) are for the replica server. If you provide both
then IPA will not attempt to generate one.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
