On 19/10/15 21:06, Rob Crittenden wrote:
James Masson wrote:

Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.

I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup


Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the IPAs python-based install code is happy with the cert chain, but the Java based dogtag code chokes on it.

OpenSSL is happy with it too.

[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK

Any hints on how to reproduce this with more debug output? I'd like to know exactly what Dogtag doesn't like about the certificate.


James M

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to