On 04/01/2016 12:44, Jan Cholasta wrote:
1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"

I have a wildcard SSL certificate from Gandi, the whole certificate chain looks like this:

AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem -> star.ipa.wandisco.com.crt

I can validate this chain by running:

$ openssl verify -verbose -CAfile <(cat AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK

I've installed those CA certificates using the following commands (due to a known bug with ipa-cacert-manage, as per Jan's recommendation, I had to comment out few lines in /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py for this to work):

$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t ,,
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n USERTrustRSAAddTrustCA -t ,, $ ipa-cacert-manage install GandiStandardSSLCA2.pem -n GandiStandardSSLCA2 -t ,,

Then I created a PKCS12 certificate out of Wildcard certificate and private key:

$ openssl pkcs12 -export -out star.ipa.wandisco.com.p12 -inkey star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -name 'GandiWildcardIPA'

and then installed it in both NSS databases:

$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i star.ipa.wandisco.com.p12
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.p12

I could see the certificates being installed by running:

$ certutil -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -L
$ certutil -d /etc/httpd/alias/ -L

Certificate Nickname Trust Attributes


ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
IPA.WANDISCO.COM IPA CA                                      CT,C,C
AddTrust                                                     ,,
USERTrustRSAAddTrustCA                                       ,,
GandiWildcardIPA                                             u,u,u
Signing-Cert                                                 u,u,u
GandiStandardSSLCA2                                          ,,

2. Run "ipa-certupdate" to update CA certificate related IPA configuration.


3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.

I've stopped IPA (ipactl stop) and edited /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to replace:

nsSSLPersonalitySSL: Server-Cert


nsSSLPersonalitySSL: GandiWildcardIPA

4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.

I've edited /etc/httpd/conf.d/nss.conf and replaced:

NSSNickname Server-Cert


NSSNickname GandiWildcardIPA

Next, I've tried to start IPA (ipactl start) but this failed:

ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl

It seems that pki-tomcatd did not start, so I looked in /var/log/pki/pki-tomcat/catalina.log and noticed this (not sure how relevant this is): http://fpaste.org/310861/14527938/

/var/log/pki/pki-tomcat/ca/system log shows:

0.localhost-startStop-1 - [14/Jan/2016:17:47:49 UTC] [8] [3] In Ldap (bound) connection pool to host node01.ipa.wandisco.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

At this stage I can revert LDAP/HTTPS certs' nickname to Server-Cert and successfully start IPA.

Using 3rd party certificates for both LDAP and HTTPS is one of the requirements of FreeIPA POC I'm working on at the moment and without this ironed out we won't be able to take FreeIPA servers into full production.

I hope it's just a minor mistake on my behalf and I would appreciate if anyone could glance through the above and let me know how I could progress this.

Many thanks in advance.

spako @ #freeipa

Kind regards,
 Peter Pakos

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to