Hi Flo! (if I may call you like that, saves some characters in typing but with this extra line it doesn't anymore :))
This works perfectly, thank you very much. No questions further actually :) Cheers, Matt 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>: > On 02/15/2017 05:40 PM, Matt . wrote: >> >> Hi, >> >> Is there any update on this ? I need to install 3 other instances but >> I would like to know upfront if it might be a bug. >> > Hi Matt, > > I was not able to reproduce your issue. Here were my steps: > > Install FreeIPA with self-signed cert: > ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD > > The certificate chain is ca1 -> subca -> server. > Install the root CA: > kinit admin > ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem > ipa-certupdate > > Install the subca: > ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem > ipa-certupdate > > Install the server cert: > ipa-server-certinstall -d -w server.pem key.pem > > ipa-certupdate basically retrieves the certificates from LDAP (below > cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but > I don't remember it removing certs. > > Can you check the content of your LDAP server? > kinit admin > ldapsearch -h `hostname` -p 389 -Y GSSAPI -b > cn=certificates,cn=ipa,cn=etc,$BASEDN > > It should contain one entry for each CA that you added. > > Flo. > >> Thanks, >> >> Matt >> >> 2017-02-14 17:59 GMT+01:00 Matt . <[email protected]>: >>> >>> Hi Florance, >>> >>> Sure I can, here you go: >>> >>> Fedora 24 >>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215 >>> >>> I installed this server as self-signed CA >>> >>> Cheers, >>> >>> Matt >>> >>> >>> >>> >>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>> >>>> On 02/14/2017 05:43 PM, Matt . wrote: >>>>> >>>>> >>>>> Hi Florance, >>>>> >>>>> Thanks for your update, good to see some good into about it. For >>>>> Comodo I have install all these: >>>>> >>>>> AddTrustExternalCARoot.crt >>>>> COMODORSAAddTrustCA.crt >>>>> COMODORSADomainValidationSecureServerCA.crt >>>>> >>>>> Where COMODORSADomainValidationSecureServerCA.crt is not needed as >>>>> far as I know but the same issues still exist, the Server-Cert is >>>>> removed again on ipa-certupdate and fails. >>>>> >>>>> I have tried this with setenforce 0 >>>>> >>>> Hi Matt, >>>> >>>> can you provide more info in order to reproduce the issue? >>>> - which OS are you using >>>> - IPA version >>>> - how did you install ipa server (CA-less or with self-signed CA or with >>>> externally-signed CA?) >>>> >>>> Thanks, >>>> Flo. >>>> >>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>> >>>>>> >>>>>> On 02/14/2017 02:54 PM, Matt . wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Certs are valid, I will check what you mentioned. >>>>>>> >>>>>>> I'm also no fan of bundles, more the seperate files but this doesn't >>>>>>> seem to work always. At least for the CAroot a bundle was required. >>>>>>> >>>>>> Hi Matt, >>>>>> >>>>>> if your certificate was provided by an intermediate CA, you need to >>>>>> add >>>>>> each >>>>>> CA before running ipa-server-certinstall (start from the top-level CA >>>>>> with >>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the >>>>>> intermediate >>>>>> CA >>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...) >>>>>> >>>>>> There is also a known issue with ipa-certupdate and SELinux in >>>>>> enforcing >>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024). >>>>>> >>>>>> Flo. >>>>>> >>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>> <[email protected]>: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Have you validated the cert (and dumped the contents) from the >>>>>>>> command >>>>>>>> line using the openssl tools? I’ve seen the message you are seeing >>>>>>>> before, >>>>>>>> for some reason I seem to remember that it has to do with either a >>>>>>>> missing >>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END >>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the >>>>>>>> actual >>>>>>>> file). >>>>>>>> >>>>>>>> I’ve never used certupdate so if what is described above doesn’t >>>>>>>> help >>>>>>>> somebody else will have to chime in. >>>>>>>> >>>>>>>> Dan >>>>>>>> >>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi Dan, >>>>>>>>> >>>>>>>>> Ues i have tried that and I get the message that it misses the full >>>>>>>>> chain for the certificate. >>>>>>>>> >>>>>>>>> My issue is more, why is the Server-Cert being removed on a >>>>>>>>> certupdate >>>>>>>>> ? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>>>> <[email protected]>: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with >>>>>>>>>> the >>>>>>>>>> cert only (disclaimer: I’ve never done this). >>>>>>>>>> >>>>>>>>>> Dan >>>>>>>>>> >>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Guys, >>>>>>>>>>> >>>>>>>>>>> I'm trying to install a 3rd party certificate using: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA >>>>>>>>>>> >>>>>>>>>>> When I run the install command for the certificate itself: >>>>>>>>>>> >>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key >>>>>>>>>>> mydomain_com_bundle.crt >>>>>>>>>>> Directory Manager password: >>>>>>>>>>> >>>>>>>>>>> Enter private key unlock password: >>>>>>>>>>> >>>>>>>>>>> list index out of range >>>>>>>>>>> The ipa-server-certinstall command failed. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from >>>>>>>>>>> /etc/httpd/alias and the install fails because of this. >>>>>>>>>>> >>>>>>>>>>> What can I do to solve this ? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> Matt >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
