On 08/03/2016 07:54 PM, Richard Harmonson wrote:
On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:

    On 08/02/2016 04:52 AM, Richard Harmonson wrote:

        On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik
        <pvobo...@redhat.com <mailto:pvobo...@redhat.com>
        <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>>> wrote:

            On 07/31/2016 07:45 AM, Richard Harmonson wrote:
            > I having challenges resuming ipa-server-install
        --external-ca. I
            am reasonably
            > confident I am not providing the right certificate and/or
        format
            from my
            > off-line root CA using 389 and Dogtag.
            >
            > Does anyone have instructions on how to accomplish the task of
            exporting the
            > correct certificates in the expected format?
            >
            > Thank you.
            >

            The IPA procedure with prerequisites is described at

        
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca

            Or are you rather asking for specific PKI instructions?

            e.g.
            *

        
http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request

            *

        
http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
            --
            Petr Vobornik


        I read the suggested document, previously, but its an excellent
        shared
        reference for this discussion.

        I have successfully submitted and approved the csr. Dogtag
        provides a
        web UI which provides a Base 64 encoded certificate or Base 64
        encoded
        certificate with CA certificate chain in pkcs7 format.

        For the servercert2010601.pem (the signed CSR request signing CA
        certificate 0x9) referenced in the article, do I  copy and paste
        (-----BEGIN .. END-----) the base 64 (not pkcs7) to a file using
        *.pem
        then submit using one of the two --external-cert-file?

        For the cacert.pem (the Root CA signing certificate 0x1)
        referenced in
        the article, do I copy and paste the base 64 with ca in pkcs7
        format to
        a file using *.pkcs7 (or pem or does it matter?) then submit
        using the
        second --external-cert-file?

        Your guidance is much appreciated.


    Hi Richard,

    I tested the following steps to install FreeIPA with a certificate
    signed by an external Dogtag instance:

    1- IPA installation on host ipaserver with:
    ipaserver$ ipa-server-install [options] --external-ca

    This step produces the Certificate Signing Request /root/ipa.csr
    that must be provided to the Dogtag server.

    2- On the Dogtag machine, configure Dogtag client authentication (to
    be able to use the command-line):

    dogtagsrv$ pki -c password client-init

    This step creates a NSSDB in ~/.dogtag/nssdb where the certificates
    for client->dogtag server authentication will be stored.

    dogtagsrv$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d
    /root/.dogtag/nssdb/

    This step imports the caadmin certificate that was created during
    Dogtag installation into the client NSSDB. The client will be able
    to authenticate as "caadmin" when using Dogtag CLI. Please note the
    certicate nickname that can be found using

    dogtagsrv$ certutil -L -d ~/.dogtag/nssdb/
    [...]
    PKI Administrator for <security domain>         u,u,u

    3- On the Dogtag machine, submit the CSR and approve:
    dogtagsrv$ pki ca-cert-request-submit --profile caCACert
    --request-type pkcs10 --csr-file  /path/to/ipa.csr

    This step submits the csr to Dogtag, using the caCACert profile in
    order to produce a Certificate that can be used for a Certificate
    Authority. Note the Request ID in the output as it will be used in
    the next command to approve the CSR and produce the cert:

    dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator
    for <security domain>"  cert-request-review <id> --action approve

    4- On the Dogtag machine, export the certificate and the dogtag CA cert:

    dogtagsrv$ pki -c password -d ~/.dogtag/nssdb/ -n "PKI Administrator
    for <security domain>"  cert-show 7 --encoded --output  ipa.cert
    dogtagsrv$ pki ca-cert-show 1 --encoded --output dogtagca.cert

    5- Resume ipa server installation with

    ipaserver$ ipa-server-install --external-cert-file=ipa.cert
    --external-cert-file=dogtagca.cert

    With those steps, I was able to install FreeIPA server with a
    3rd-party signed Certificate Authority. Please let me known if you
    have issues with those instructions,

    Flo.


Awesome!

Flo, your instructions were perfect! I exported the certs and during the
ipa-server-install I see the certs being displayed on the screen then
"Process finished, return code=0, so they are accepted on resuming the
installation. The install fails with a LDAP error but I believe it to be
unrelated to the exported certs. May be a result of my earlier thrashing?

I will recover from a snapshot and begin again. If problems persist, I
will send another request for help for it is probably unrelated to the
certificates.

You got me one step closer. Thank you!

Debug shows:

# pa-server-install --external-cert-file=ipa.cert
--external-cert-file=dogtagca.cert
..
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpDVXaWo
ipa         : DEBUG    Process finished, *return code=1*
ipa         : DEBUG    stdout=Log file:
/var/log/pki/pki-ca-spawn.20160803103307.log
Loading deployment configuration from /tmp/tmpDVXaWo.
*ERROR:  Unable to access directory server: Can't contact LDAP server*

ipa         : DEBUG    stderr=
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
/tmp/tmpDVXaWo' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
ipa         : DEBUG    Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 437, in run_step
    method()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
579, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
    self.handle_setup_error(e)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 421, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
..


Hi Richard,

not sure if this is related, but there is a bug with recent revisions of Dogtag which results in failure of CA installation. See IPA ticket 6155 [1] and Dogtag ticket 2403 [2]. A workaround is to downgrade the packages resteasy-xx because version 3.0.17 from updates-testing prevents the installation (but 3.0.6.11 is OK):

# dnf downgrade resteasy-atom-provider resteasy-client resteasy-core resteasy-jackson-provider resteasy-jaxb-provider --allowerasing

[1] https://fedorahosted.org/freeipa/ticket/6155
[2] https://fedorahosted.org/pki/ticket/2403

Flo.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to