On 02/16/2017 09:55 PM, Matt . wrote:
Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.

Hi Matt,

glad I could help. What did you do differently that could explain the failure, though? Maybe the cert installation needs some hardening.

Flo.
No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
On 02/15/2017 05:40 PM, Matt . wrote:

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.

Hi Matt,

I was not able to reproduce your issue. Here were my steps:

Install FreeIPA with self-signed cert:
ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD

The certificate chain is ca1 -> subca -> server.
Install the root CA:
kinit admin
ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
ipa-certupdate

Install the subca:
ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
ipa-certupdate

Install the server cert:
ipa-server-certinstall -d -w server.pem key.pem

ipa-certupdate basically retrieves the certificates from LDAP (below
cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
I don't remember it removing certs.

Can you check the content of your LDAP server?
kinit admin
ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
cn=certificates,cn=ipa,cn=etc,$BASEDN

It should contain one entry for each CA that you added.

Flo.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . <yamakasi....@gmail.com>:

Hi Florance,

Sure I can, here you go:

Fedora 24
Freeipa VERSION: 4.4.2, API_VERSION: 2.215

I installed this server as self-signed CA

Cheers,

Matt




2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:

On 02/14/2017 05:43 PM, Matt . wrote:


Hi Florance,

Thanks for your update, good to see some good into about it. For
Comodo I have install all these:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

 Where COMODORSADomainValidationSecureServerCA.crt is not needed as
far as I know but the same issues still exist, the Server-Cert is
removed again on ipa-certupdate and fails.

I have tried this with setenforce 0

Hi Matt,

can you provide more info in order to reproduce the issue?
- which OS are you using
- IPA version
- how did you install ipa server (CA-less or with self-signed CA or with
externally-signed CA?)

Thanks,
Flo.


Cheers,

Matt

2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:


On 02/14/2017 02:54 PM, Matt . wrote:



Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.

Hi Matt,

if your certificate was provided by an intermediate CA, you need to
add
each
CA before running ipa-server-certinstall (start from the top-level CA
with
ipa-cacert-manage install, then run ipa-certupdate, then the
intermediate
CA
with ipa-cacert-manage install, then ipa-certupdate etc...)

There is also a known issue with ipa-certupdate and SELinux in
enforcing
mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

Flo.


Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
<dsulliv...@bsd.uchicago.edu>:



Have you validated the cert (and dumped the contents) from the
command
line using the openssl tools?  I’ve seen the message you are seeing
before,
for some reason I seem to remember that it has to do with either a
missing
or an extra - at either the -----BEGIN CERTIFICATE---- or -----END
CERTIFICATE---- (an error from copy and pasting and not copying the
actual
file).

I’ve never used certupdate so if what is described above doesn’t
help
somebody else will have to chime in.

Dan

On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi....@gmail.com> wrote:

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a
certupdate
?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
<dsulliv...@bsd.uchicago.edu>:



Is the chain in mydomain_com_bundle.crt?  Have you tried it with
the
cert only (disclaimer: I’ve never done this).

Dan

On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi....@gmail.com>
wrote:

Hi Guys,

I'm trying to install a 3rd party certificate using:




http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key
mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.


If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Matt

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project










--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to