On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote:
Hello.

Thanks for the first help,

Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
Hello,
Freeipa 4.3.1

I have now install a 3rd Party Certificat from Startcom now my IPA is
total
broken?

ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
root.crt

I mean this is the wrong cert I installed :-(.

Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")

Hi,

ipa-cacert-manage install *adds* the CA certificate to the list of CA certs (it does not replace the CA cert), meaning that it can be run multiple times with different certificates. After this step, you can find all your CA certificates in the ldap server, below cn=certificates,cn=ipa,cn=etc,$BASEDN

So in your case, you can re-run this command, this time with the right CA cert. Then do not forget to run ipa-certupdate on all the ipa replicas/clients in order to install the new CA cert on the relevant NSS databases. It is important to run ipa-certupdate before IPA services are restarted with the new certs (otherwise ipa-certupdate cannot contact the LDAP server to download the new certificates).

If you forgot to run ipa-certupdate on the clients, I guess you can fix this by installing the new CA cert in /etc/ipa/nssdb with C,, flags.

HTH,
Flo

ipa-certupdate

ipa-server-certinstall -w -d ipa_3rd_ca.p12

This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxxxxxx

I create this p12 with key.pem, cert.pem root.crt

now i create a new p12 with I hope the correct certs

I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.

This p12 I Installed on the first master with

pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W xxxxxxxx

pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxxxxxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W xxxxxxxxx

I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
XXXX/dsl.ldif

Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT


afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Why is ipa-ods-exporter Service always STOPPED ??

The next I Test a login on the Web UI from IPA, this is now also working ;-)


the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).

Have I to repeat this all on the second Master ?

and what is the correct way to inform the clients ?

Thanks again for a answer,

Hi,

there were some issues with ipa-server-certinstall (see tickets #4785,
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS
DBs for Apache and the LDAP server (/etc/httpd/alias,
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with
flags C,, (= the one contained in root.rt)

Then you can also check if the nickname for the server cert is properly
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
nsSSLPersonalitySSL).

If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
provide more information.

Also note that it is important to run ipa-certupdate on all the clients
and replicas in order to install the new certificates in the NSS DBs
*before* you run ipa-server-certinstall.

Hope this helps,
Flo.

the kerberos don't start anymore ?
The Error Is

 Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
 realm>
'4GJN.COM'

after insert in nss.conf
"NSSEnforceValidCerts off"

ipactl restart  is starting (?) but

ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname                                         Trust
Attributes>
                                                             SSL,S/MIME,JA
                                                             R/XPI

Signing-Cert                                                 u,u,u
4GJN_CA_FILE                                                 u,u,u
ipaCert                                                      u,u,u
4GJN.COM IPA CA                                              CT,C,C
STARTCOM-ROOT                                                C,,

I can  Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?

I also add this, found in Bugzilla

 certutil -d /var/lib/pki/pki-tomcat/alias -L

Certificate Nickname                                         Trust
Attributes>
                                                             SSL,S/MIME,JA
                                                             R/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
STARTCOM-ROOT                                                CT,,

this is created in the

certutil -d /etc/dirsrv/slapd-4GJN.COM -L

Certificate Nickname                                         Trust
Attributes>
                                                             SSL,S/MIME,JA
                                                             R/XPI

4GJN_CA_FILE                                                 u,u,u
4GJN.COM IPA CA                                              CT,C,C
STARTCOM-ROOT                                                C,,

Can any help a little, please ;-)

The bad Problem, I tested this with my master server with DNS / DNSSEC I
can't new install (DNSSEC Keys)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to