On 10/26/2015 04:05 PM, James Masson wrote: > > > On 19/10/15 21:06, Rob Crittenden wrote: >> James Masson wrote: >>> >>> Hi list, >>> >>> I successfully have IPA working with CA certs signed by an upstream Dogtag. >>> >>> Now I'm trying to use a CA cert signed by a different type of CA - Vault. >>> >>> Setup fails, using the same 2 step IPA setup process as used with >>> upstream Dogtag. I've also tried the external-ca-type option. >>> >>> Likely, IPA doesn't like the certificate - however, I can't pinpoint why. >> >> I'm guessing you don't include the entire CA certchain of Vault. Dogtag >> is failing to startup because it can't verify its own cert chain: >> >> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] >> CAPresence: CA is present >> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] >> SystemCertsVerification: system certs verification failure >> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] >> SelfTestSubsystem: The CRITICAL self test plugin called >> selftests.container.instance.SystemCertsVerification running at startup >> FAILED! >> >> rob >> > > > Hi Rob, > > Thanks for the reply. > > I do present the IPA installer with both the CA and the IPA cert - the IPAs > python-based install code is happy with the cert chain, but the Java based > dogtag code chokes on it. > > OpenSSL is happy with it too. > > ##### > [root@foo ~]# openssl verify ipa.crt > ipa.crt: O = LOCAL, CN = Certificate Authority > error 20 at 0 depth lookup:unable to get local issuer certificate > > [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt > ipa.crt: OK > ### > > Any hints on how to reproduce this with more debug output? I'd like to know > exactly what Dogtag doesn't like about the certificate. > > thanks > > James M
Let me CC at least Jan Ch. and David, they may be able to help and should also make sure FreeIPA gets better in validating the certs, as appropriate. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project