Hi all,

I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with External CA as the Root CA. Here are details.

1) Run "ipa-server-install --external-ca", and send .csr to be signed by External CA, but VeriSign rejects signing this since info like Organization, OU, L, ST, C are missing.

2) Okay, so I try this workaround, create cert request manually with command:

# certutil -R -d /tmp -a -g 2048 -s 'CN=<fqdn>,OU=<some-ou>,O=<company>,L=<town>,ST=California,C=US'

3) I verify request via https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp (looks good)

4) Now VeriSign accepts .csr and I receive the certificate (.cer file) via email.

5) I also download two additional certs for trust chain, one is VeriSign's public primary root CA and the second one is Company's itermediate CA, both (.pem files)

6) Now the problem begins, run the comamnd:

# ipa-server-install --external-cert-file=/tmp/freeipa.cer --external-cert-file=/tmp/Company_CA_G2.pem --external-cert-file=/tmp/VeriSign_Root_CA.pem -vv


One of screen messages are:

ipa         : DEBUG    stderr=
ipa         : DEBUG    Starting external process
ipa : DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmplsusxY' '-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'
ipa         : DEBUG    Process finished, return code=0
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
ipa.ipapython.install.cli.install_tool(Server): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run
    cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 279, in run
    self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 288, in validate
    for nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner
    self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception
    util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner
    step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 517, in _configure
    validator.next()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner
    self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception
    self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception
    util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception
    util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner
    step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1612, in main
    install_check(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated
    func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 601, in install_check
    ca.install_check(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 69, in install_check
    options.external_cert_files, options.subject)
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1016, in load_external_cert
    "IPA CA certificate not found in %s" % (", ".join(files)))

ipa.ipapython.install.cli.install_tool(Server): DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem, /tmp/VeriSign_Root_CA.pem ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem, /tmp/VeriSign_Root_CA.pem


Please let me know if any more info is needed, appreciate any help.

--
Thanks,
Zarko

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to