Thanks for the reply,

Version:

Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest version...

I'm not sure I understand the answer.

I created the CSR and they signed it using their automation, and returned the new ones to me for installation, which failed. SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. The node itself is xxxxx.sun.weather.com, we have a wildcard certificate for sun.weather.com, and this domain controller needs the certificate for the domain for setup to complete.

What am I doing wrong here?

On 1/3/14 3:58 PM, Rob Crittenden wrote:
James Scollard wrote:
When attempting to run the second part of the installation with an
external CA (Globalsign) using my signed certificate and CA certificate
chain I get the following;

[root@ldapm6x00 ~]# ipa-server-install
--external_cert_file=/root/ldapm6x00.sun.weather.com.crt
--external_ca_file=/root/sun.weather.com.crt

The log file for this installation can be found in
/var/log/ipaserver-install.log
Directory Manager password:

Subject of the external certificate is not correct (got
CN=*.sun.weather.com,O=The Weather Channel Interactive\,
Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate
Authority,O=SUN.WEATHER.COM).

CN= and O= are correct, so why is IPA refusing to use the certificate?
It appears to be expecting bogus data instead of using the provided
identity.  This doesnt appear to be an issue with the certificate,
although I have never installed FreeIPA with a Globalsign certificate. I
did nto see this problem with Network Solutions wildcard certificates
though.  Any suggestions would be appreciated.

This isn't related to the external CA, it just can't modify the subject of the IPA CA, which it did in this case. I'm not even entirely sure what it would mean to have the CA certificate itself be a wildcard cert. Doesn't seem to be a valid use-case though.

Looks like this validation was added in in v3.

rob


--
James E. Scollard III

Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com

View my profile on LinkedIn

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to