On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud <f...@redhat.com> wrote:
> On 08/02/2016 04:52 AM, Richard Harmonson wrote: > >> On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik <pvobo...@redhat.com >> <mailto:pvobo...@redhat.com>> wrote: >> >> On 07/31/2016 07:45 AM, Richard Harmonson wrote: >> > I having challenges resuming ipa-server-install --external-ca. I >> am reasonably >> > confident I am not providing the right certificate and/or format >> from my >> > off-line root CA using 389 and Dogtag. >> > >> > Does anyone have instructions on how to accomplish the task of >> exporting the >> > correct certificates in the expected format? >> > >> > Thank you. >> > >> >> The IPA procedure with prerequisites is described at >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca >> >> Or are you rather asking for specific PKI instructions? >> >> e.g. >> * >> >> http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request >> >> * >> >> http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment >> -- >> Petr Vobornik >> >> >> I read the suggested document, previously, but its an excellent shared >> reference for this discussion. >> >> I have successfully submitted and approved the csr. Dogtag provides a >> web UI which provides a Base 64 encoded certificate or Base 64 encoded >> certificate with CA certificate chain in pkcs7 format. >> >> For the servercert2010601.pem (the signed CSR request signing CA >> certificate 0x9) referenced in the article, do I copy and paste >> (-----BEGIN .. END-----) the base 64 (not pkcs7) to a file using *.pem >> then submit using one of the two --external-cert-file? >> >> For the cacert.pem (the Root CA signing certificate 0x1) referenced in >> the article, do I copy and paste the base 64 with ca in pkcs7 format to >> a file using *.pkcs7 (or pem or does it matter?) then submit using the >> second --external-cert-file? >> >> Your guidance is much appreciated. >> >> >> Hi Richard, > > I tested the following steps to install FreeIPA with a certificate signed > by an external Dogtag instance: > > 1- IPA installation on host ipaserver with: > ipaserver$ ipa-server-install [options] --external-ca > > This step produces the Certificate Signing Request /root/ipa.csr that must > be provided to the Dogtag server. > > 2- On the Dogtag machine, configure Dogtag client authentication (to be > able to use the command-line): > > dogtagsrv$ pki -c password client-init > > This step creates a NSSDB in ~/.dogtag/nssdb where the certificates for > client->dogtag server authentication will be stored. > > dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d > /root/.dogtag/nssdb/ > > This step imports the caadmin certificate that was created during Dogtag > installation into the client NSSDB. The client will be able to authenticate > as "caadmin" when using Dogtag CLI. Please note the certicate nickname that > can be found using > > dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/ > [...] > PKI Administrator for <security domain> u,u,u > > 3- On the Dogtag machine, submit the CSR and approve: > dogtagsrv$ pki ca-cert-request-submit --profile caCACert --request-type > pkcs10 --csr-file /path/to/ipa.csr > > This step submits the csr to Dogtag, using the caCACert profile in order > to produce a Certificate that can be used for a Certificate Authority. Note > the Request ID in the output as it will be used in the next command to > approve the CSR and produce the cert: > > dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for > <security domain>" cert-request-review <id> --action approve > > 4- On the Dogtag machine, export the certificate and the dogtag CA cert: > > dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator for > <security domain>" cert-show 7 --encoded --output ipa.cert > dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert > > 5- Resume ipa server installation with > > ipaserver$ ipa-server-install --external-cert-file=ipa.cert > --external-cert-file=dogtagca.cert > > With those steps, I was able to install FreeIPA server with a 3rd-party > signed Certificate Authority. Please let me known if you have issues with > those instructions, > > Flo. > Awesome! Flo, your instructions were perfect! I exported the certs and during the ipa-server-install I see the certs being displayed on the screen then "Process finished, return code=0, so they are accepted on resuming the installation. The install fails with a LDAP error but I believe it to be unrelated to the exported certs. May be a result of my earlier thrashing? I will recover from a snapshot and begin again. If problems persist, I will send another request for help for it is probably unrelated to the certificates. You got me one step closer. Thank you! Debug shows: # pa-server-install --external-cert-file=ipa.cert --external-cert-file=dogtagca.cert .. ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpDVXaWo ipa : DEBUG Process finished, *return code=1* ipa : DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160803103307.log Loading deployment configuration from /tmp/tmpDVXaWo. *ERROR: Unable to access directory server: Can't contact LDAP server* ipa : DEBUG stderr= ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDVXaWo' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 579, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 421, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. ..
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project