Hi Florance, Thanks for your update, good to see some good into about it. For Comodo I have install all these:
AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt Where COMODORSADomainValidationSecureServerCA.crt is not needed as far as I know but the same issues still exist, the Server-Cert is removed again on ipa-certupdate and fails. I have tried this with setenforce 0 Cheers, Matt 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <[email protected]>: > On 02/14/2017 02:54 PM, Matt . wrote: >> >> Certs are valid, I will check what you mentioned. >> >> I'm also no fan of bundles, more the seperate files but this doesn't >> seem to work always. At least for the CAroot a bundle was required. >> > Hi Matt, > > if your certificate was provided by an intermediate CA, you need to add each > CA before running ipa-server-certinstall (start from the top-level CA with > ipa-cacert-manage install, then run ipa-certupdate, then the intermediate CA > with ipa-cacert-manage install, then ipa-certupdate etc...) > > There is also a known issue with ipa-certupdate and SELinux in enforcing > mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024). > > Flo. > > >> Matt >> >> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] >> <[email protected]>: >>> >>> Have you validated the cert (and dumped the contents) from the command >>> line using the openssl tools? I’ve seen the message you are seeing before, >>> for some reason I seem to remember that it has to do with either a missing >>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END >>> CERTIFICATE---- (an error from copy and pasting and not copying the actual >>> file). >>> >>> I’ve never used certupdate so if what is described above doesn’t help >>> somebody else will have to chime in. >>> >>> Dan >>> >>>> On Feb 14, 2017, at 2:18 AM, Matt . <[email protected]> wrote: >>>> >>>> Hi Dan, >>>> >>>> Ues i have tried that and I get the message that it misses the full >>>> chain for the certificate. >>>> >>>> My issue is more, why is the Server-Cert being removed on a certupdate ? >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] >>>> <[email protected]>: >>>>> >>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with the >>>>> cert only (disclaimer: I’ve never done this). >>>>> >>>>> Dan >>>>> >>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <[email protected]> wrote: >>>>>> >>>>>> Hi Guys, >>>>>> >>>>>> I'm trying to install a 3rd party certificate using: >>>>>> >>>>>> >>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA >>>>>> >>>>>> When I run the install command for the certificate itself: >>>>>> >>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key >>>>>> mydomain_com_bundle.crt >>>>>> Directory Manager password: >>>>>> >>>>>> Enter private key unlock password: >>>>>> >>>>>> list index out of range >>>>>> The ipa-server-certinstall command failed. >>>>>> >>>>>> >>>>>> If I do a #ipa-certupdate the Server-Cert is removed from >>>>>> /etc/httpd/alias and the install fails because of this. >>>>>> >>>>>> What can I do to solve this ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Matt >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
