-----Original Message----- From: Tomas Krizek [mailto:tkri...@redhat.com] Sent: Monday, March 27, 2017 12:20 PM To: System Administration Team <sys-ad...@camgian.com>; Fraser Tweedale <ftwee...@redhat.com> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
On 03/27/2017 06:19 PM, System Administration Team wrote: > [root@ipa certs]# openssl req -in /root/ipa.csr -noout -text > Certificate Request: > Data: > Version: 0 (0x0) > Subject: mail=<REMOVED>, C=US, ST=Mississippi, L=Starkville, > O=Camgian Microsystems, OU=IT, CN=Certificate Authority > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > <REMOVED FOR BREVITY> > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Certificate Sign, CRL Sign > Signature Algorithm: sha256WithRSAEncryption > <REMOVED FOR BREVITY> > [root@ipa certs]# > > Sign ipa.csr > > root@rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose > -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in > /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using > configuration from openssl.cnf Enter pass phrase for > /root/ca/private/ca.key.pem: > Check that the request matches the signature Signature ok Certificate Details: > Serial Number: 4099 (0x1003) > Validity > Not Before: Mar 27 15:49:18 2017 GMT > Not After : Mar 25 15:49:18 2027 GMT > Subject: > countryName = US > stateOrProvinceName = Mississippi > localityName = Starkville > organizationName = Camgian Microsystems > organizationalUnitName = IT > commonName = Certificate Authority The signed certificate's Subject field seems to be missing the mail=<REMOVED>. Perhaps the signing rules do not permit this field? I removed this field so it would not be archived in this list since I now get Porn Spam from Kim when I post to it. > [root@ipa certs]# ipa-server-install --domain=camgian.com > --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject > 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>' > --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem > --external-cert-file=/etc/pki/tls/certs/ca.cert.pem I believe you can't force IPA to use a different subject at the second step of setting up external CA. I think it's only used to generate the CSR in the first step. I have tried both ways.... >From the logfile below it looks like it is picking up the CN from my ROOT CA >rather than the CN from IPA-SERVER-Install it looks like... [root@ipa certs]# ipa-server-install --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem --external-cert-file=/etc/pki/tls/certs/ca.cert.pem The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [root@ipa certs]# FROM Log File: 2017-03-27T19:34:45Z DEBUG stderr= 2017-03-27T19:34:45Z DEBUG Starting external process 2017-03-27T19:34:45Z DEBUG args=/usr/bin/certutil -d /tmp/tmpHEVPYc -M -n E=<I_REMOVED_THIS>,CN=Camgian Microsystems Root CA,OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US -t C,, 2017-03-27T19:34:45Z DEBUG Process finished, return code=0 2017-03-27T19:34:45Z DEBUG stdout= 2017-03-27T19:34:45Z DEBUG stderr= 2017-03-27T19:34:45Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in _configure next(validator) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1355, in main install_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 600, in install_check ca.install_check(False, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 73, in install_check options.external_cert_files, options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1039, in load_external_cert "IPA CA certificate not found in %s" % (", ".join(files))) 2017-03-27T19:34:45Z DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem 2017-03-27T19:34:45Z ERROR IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem 2017-03-27T19:34:45Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [root@ipa certs]# > ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate > not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem > ipa.ipapython.install.cli.install_tool(Server): ERROR The > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information The installation most likely fails because mail=<REMOVED> is expected to be a part of the signed certificate's subject field. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project