On 26/10/15 16:11, Martin Kosek wrote:
On 10/26/2015 04:05 PM, James Masson wrote:

On 19/10/15 21:06, Rob Crittenden wrote:
James Masson wrote:

Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.

I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup


Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the IPAs
python-based install code is happy with the cert chain, but the Java based
dogtag code chokes on it.

OpenSSL is happy with it too.

[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK

Any hints on how to reproduce this with more debug output? I'd like to know
exactly what Dogtag doesn't like about the certificate.


James M

Let me CC at least Jan Ch. and David, they may be able to help and should also
make sure FreeIPA gets better in validating the certs, as appropriate.

Any thoughts guys?

James M

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to