On 11/15/2016 01:47 PM, Leo Baltus wrote:
Hi,

(first time user, firts post on this ML)

I am setting up ipa-server on a fresh CentOS-7 system.

After running:

/usr/sbin/ipa-server-install -U --realm XXXYYYYY.NL --domain xxxyyyyy.nl \
    --admin-password foobarxy --ds-password foobarxy \
    --idstart 5000 \
    --no-ntp

Connecting my Chrome browser to this machine results in a 'Your
connection is not private' errorpage. And no option to go the
insecure way.

Now I have my own CA, created a certifcate keypair with it and I would
like to import this keypair together with my CA to add trust.

Following http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt
ipa-certupdate
ipa-server-certinstall -w -d mysite.key mysite.crt

after running ipa-certupdate again I get:

trying https://lab-k1.xxxyyyyy.nl/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://lab-k1.xxxyyyyy.nl/ipa/json'
cert validation failed for "CN=Object Signing Cert,O=XXXYYYYY.NL" 
((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for attempted 
operation.)

On other attempts I get a timeout on ipa-certupdate:
Resubmitting certmonger request '20161115122715' timed out, please check the 
request manually

Any idea what is going on? Am I using the right docs?

versions:
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
krb5-libs-1.13.2-12.el7_2.x86_64
krb5-pkinit-1.13.2-12.el7_2.x86_64
krb5-server-1.13.2-12.el7_2.x86_64
krb5-workstation-1.13.2-12.el7_2.x86_64
libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64
mod_nss-1.0.11-6.el7.x86_64
nss-3.21.0-9.el7_2.x86_64
nss-softokn-3.16.2.3-14.2.el7_2.x86_64
nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
nss-sysinit-3.21.0-9.el7_2.x86_64
nss-tools-3.21.0-9.el7_2.x86_64
nss-util-3.21.0-2.2.el7_2.x86_64
nss_compat_ossl-0.9.6-8.el7.x86_64
openssl-1.0.1e-51.el7_2.7.x86_64
openssl-libs-1.0.1e-51.el7_2.7.x86_64
pam_krb5-2.4.8-4.el7.x86_64
pki-base-10.2.5-10.el7_2.noarch
pki-ca-10.2.5-10.el7_2.noarch
pki-kra-10.2.5-10.el7_2.noarch
pki-server-10.2.5-10.el7_2.noarch
pki-tools-10.2.5-10.el7_2.x86_64
python-nss-0.16.0-3.el7.x86_64
sssd-krb5-1.13.0-40.el7_2.12.x86_64
sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

Hi,

can you check if your certificate can be used for an SSL server? You can use the following command

openssl x509 -purpose -in mysite.crt

--
Tomas Krizek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to