Zarko Dudic wrote:


Hi all,

I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.

1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.

I seriously doubt Verisign will issue this certificate regardless of format. Don't confuse a CA signing certificate with a server certificate.

But who knows. Try the --subject-base option to ipa-server-install but note that the CN is currently unconfigurable, it will always be cn=Certificate Authority.

2) Okay, so I try this workaround, create cert request manually with
command:

      # certutil -R -d /tmp -a -g 2048 -s
'CN=<fqdn>,OU=<some-ou>,O=<company>,L=<town>,ST=California,C=US'

This will never work. Besides the fact that you didn't request a certificate with the right CA extensions, the private key that generated the CSR is now in a place that dogtag will never find it. This is unrelated to the error below but it would blow up eventually.

3) I verify request via
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
(looks good)

4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
via email.

5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)

6) Now the problem begins, run the comamnd:

    # ipa-server-install --external-cert-file=/tmp/freeipa.cer
--external-cert-file=/tmp/Company_CA_G2.pem
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv

If memory serves IPA knows what the subject of it's CA should look like (remember subject-base?) and it isn't finding it and blowing up.

rob



One of screen messages are:

ipa         : DEBUG    stderr=
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args='/usr/bin/certutil' '-d' '/tmp/tmplsusxY'
'-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority -
G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign
Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'
ipa         : DEBUG    Process finished, return code=0
ipa         : DEBUG    stdout=
ipa         : DEBUG    stderr=
ipa.ipapython.install.cli.install_tool(Server): DEBUG      File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
     return_value = self.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run
     cfgr.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 279, in run
     self.validate()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 288, in validate
     for nothing in self._validator():
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
     self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
     util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
     step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
     raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 517, in _configure
     validator.next()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
     self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
     self.__parent._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
     util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
     super(ComponentBase, self)._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
     util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
     step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
     raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
     value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
     for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1612, in main
     install_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 263, in decorated
     func(installer)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 601, in install_check
     ca.install_check(False, None, options)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
69, in install_check
     options.external_cert_files, options.subject)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 1016, in load_external_cert
     "IPA CA certificate not found in %s" % (", ".join(files)))

ipa.ipapython.install.cli.install_tool(Server): DEBUG    The
ipa-server-install command failed, exception: ScriptError: IPA CA
certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
/tmp/VeriSign_Root_CA.pem
ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA CA
certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
/tmp/VeriSign_Root_CA.pem


Please let me know if any more info is needed, appreciate any help.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to