Peter Pakos wrote: > On 04/01/2016 12:44, Jan Cholasta wrote: >> 1. Install the CA certificate chain of the issuer of the 3rd party >> certificate to IPA using "ipa-cacert-manage install" > > I have a wildcard SSL certificate from Gandi, the whole certificate > chain looks like this: > > AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem -> > star.ipa.wandisco.com.crt > > I can validate this chain by running: > > $ openssl verify -verbose -CAfile <(cat AddTrust.pem > USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) > star.ipa.wandisco.com.crt > star.ipa.wandisco.com.crt: OK > > I've installed those CA certificates using the following commands (due > to a known bug with ipa-cacert-manage, as per Jan's recommendation, I > had to comment out few lines in > /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py > for this to work): > > $ ipa-cacert-manage install AddTrust.pem -n AddTrust -t ,, > $ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n > USERTrustRSAAddTrustCA -t ,, > $ ipa-cacert-manage install GandiStandardSSLCA2.pem -n > GandiStandardSSLCA2 -t ,, > > Then I created a PKCS12 certificate out of Wildcard certificate and > private key: > > $ openssl pkcs12 -export -out star.ipa.wandisco.com.p12 -inkey > star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -name > 'GandiWildcardIPA' > > and then installed it in both NSS databases: > > $ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i > star.ipa.wandisco.com.p12 > $ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.p12 > > I could see the certificates being installed by running: > > $ certutil -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -L > $ certutil -d /etc/httpd/alias/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > IPA.WANDISCO.COM IPA CA CT,C,C > AddTrust ,, > USERTrustRSAAddTrustCA ,, > GandiWildcardIPA u,u,u > Signing-Cert u,u,u > GandiStandardSSLCA2 ,, > >> 2. Run "ipa-certupdate" to update CA certificate related IPA >> configuration. > > Done. > >> 3. Manually import the server certificate into the >> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in >> LDAP in the nsSSLPersonalitySSL attribute of >> cn=RSA,cn=encryption,cn=config and restart DS. > > I've stopped IPA (ipactl stop) and edited > /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to replace: > > nsSSLPersonalitySSL: Server-Cert > > for: > > nsSSLPersonalitySSL: GandiWildcardIPA > >> 4. Manually import the server certificate into the /etc/httpd/alias NSS >> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf >> using the NSSNickname directive and restart httpd. > > I've edited /etc/httpd/conf.d/nss.conf and replaced: > > NSSNickname Server-Cert > > for: > > NSSNickname GandiWildcardIPA > > > Next, I've tried to start IPA (ipactl start) but this failed: > > ipactl start > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > Failed to start pki-tomcatd Service > Shutting down > Aborting ipactl > > It seems that pki-tomcatd did not start, so I looked in > /var/log/pki/pki-tomcat/catalina.log and noticed this (not sure how > relevant this is): http://fpaste.org/310861/14527938/ > > /var/log/pki/pki-tomcat/ca/system log shows: > > 0.localhost-startStop-1 - [14/Jan/2016:17:47:49 UTC] [8] [3] In Ldap > (bound) connection pool to host node01.ipa.wandisco.com port 636, Cannot > connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error > creating JSS SSL Socket (-1) > > At this stage I can revert LDAP/HTTPS certs' nickname to Server-Cert and > successfully start IPA. > > Using 3rd party certificates for both LDAP and HTTPS is one of the > requirements of FreeIPA POC I'm working on at the moment and without > this ironed out we won't be able to take FreeIPA servers into full > production. > > I hope it's just a minor mistake on my behalf and I would appreciate if > anyone could glance through the above and let me know how I could > progress this. > > Many thanks in advance.
You need to add the new root certs to the pki NSS database. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
