Hi Florance, Sure I can, here you go:
Fedora 24 Freeipa VERSION: 4.4.2, API_VERSION: 2.215 I installed this server as self-signed CA Cheers, Matt 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <[email protected]>: > On 02/14/2017 05:43 PM, Matt . wrote: >> >> Hi Florance, >> >> Thanks for your update, good to see some good into about it. For >> Comodo I have install all these: >> >> AddTrustExternalCARoot.crt >> COMODORSAAddTrustCA.crt >> COMODORSADomainValidationSecureServerCA.crt >> >> Where COMODORSADomainValidationSecureServerCA.crt is not needed as >> far as I know but the same issues still exist, the Server-Cert is >> removed again on ipa-certupdate and fails. >> >> I have tried this with setenforce 0 >> > Hi Matt, > > can you provide more info in order to reproduce the issue? > - which OS are you using > - IPA version > - how did you install ipa server (CA-less or with self-signed CA or with > externally-signed CA?) > > Thanks, > Flo. > > >> Cheers, >> >> Matt >> >> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>> >>> On 02/14/2017 02:54 PM, Matt . wrote: >>>> >>>> >>>> Certs are valid, I will check what you mentioned. >>>> >>>> I'm also no fan of bundles, more the seperate files but this doesn't >>>> seem to work always. At least for the CAroot a bundle was required. >>>> >>> Hi Matt, >>> >>> if your certificate was provided by an intermediate CA, you need to add >>> each >>> CA before running ipa-server-certinstall (start from the top-level CA >>> with >>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate >>> CA >>> with ipa-cacert-manage install, then ipa-certupdate etc...) >>> >>> There is also a known issue with ipa-certupdate and SELinux in enforcing >>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024). >>> >>> Flo. >>> >>> >>>> Matt >>>> >>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] >>>> <[email protected]>: >>>>> >>>>> >>>>> Have you validated the cert (and dumped the contents) from the command >>>>> line using the openssl tools? I’ve seen the message you are seeing >>>>> before, >>>>> for some reason I seem to remember that it has to do with either a >>>>> missing >>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END >>>>> CERTIFICATE---- (an error from copy and pasting and not copying the >>>>> actual >>>>> file). >>>>> >>>>> I’ve never used certupdate so if what is described above doesn’t help >>>>> somebody else will have to chime in. >>>>> >>>>> Dan >>>>> >>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <[email protected]> wrote: >>>>>> >>>>>> Hi Dan, >>>>>> >>>>>> Ues i have tried that and I get the message that it misses the full >>>>>> chain for the certificate. >>>>>> >>>>>> My issue is more, why is the Server-Cert being removed on a certupdate >>>>>> ? >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] >>>>>> <[email protected]>: >>>>>>> >>>>>>> >>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with the >>>>>>> cert only (disclaimer: I’ve never done this). >>>>>>> >>>>>>> Dan >>>>>>> >>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <[email protected]> wrote: >>>>>>>> >>>>>>>> Hi Guys, >>>>>>>> >>>>>>>> I'm trying to install a 3rd party certificate using: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA >>>>>>>> >>>>>>>> When I run the install command for the certificate itself: >>>>>>>> >>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key >>>>>>>> mydomain_com_bundle.crt >>>>>>>> Directory Manager password: >>>>>>>> >>>>>>>> Enter private key unlock password: >>>>>>>> >>>>>>>> list index out of range >>>>>>>> The ipa-server-certinstall command failed. >>>>>>>> >>>>>>>> >>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from >>>>>>>> /etc/httpd/alias and the install fails because of this. >>>>>>>> >>>>>>>> What can I do to solve this ? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>> >>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
