[Freeipa-users] Re: Chromium complains about ipa's web server certificate

[Fraser Tweedale via FreeIPA-users]

On Sat, Aug 12, 2017 at 08:53:06PM +0300, Alexander Bokovoy wrote:
> On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote:
> > Hi Fraser,
> > 
> > On Fri, 11 Aug 2017 18:48:29 +1000
> > Fraser Tweedale via FreeIPA-users  
> > wrote:
> > 
> > > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users 
> > > wrote:
> > > >
> > > > https://support.google.com/chrome/a/answer/7391219?hl=en
> > > >
> > > > How can I tell freeipa?
> > > >
> > > Hi Harald,
> > > 
> > > Use `getcert resubmit -i REQUEST-ID -D DNS-NAME` to request a new
> > > HTTP certificate with the appropriate DNS-NAME Subject Alt Name
> > > value(s).  Use `getcert list` to find the REQUEST-ID to use; it will
> > > be the certificate in NSSDB `/etc/httpd/alias` with nickname
> > > `Server-Cert`.
> > > 
> > 
> > This worked, thanx very much.
> > 
> > I would suggest to create web server certificate with appropriate
> > SubjectAltName right from the start by ipa-server-install, but maybe
> > this has alredy been fixed?
> Yes, it is fixed in 4.5.3 and is going to be part of RHEL 7.4.z at some
> point: https://bugzilla.redhat.com/show_bug.cgi?id=1477046
> 
Actually we have requested IPA service certificates with SAN for
several releases now.  The recent change (#7007) is to change the
default profile to always add SAN, even if not explicitly requested.

Anyway, Harald's installation is obviously from a time before either
of those changes :)

Cheers,
Fraser

> See https://pagure.io/freeipa/issue/7007 for more upstream details.
> 
> -- 
> / Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] HTTPD does not start when NSS enabled

[Julian Gethmann via FreeIPA-users]

Hallo,

Unfortunately I don't know when this problem occurred first, but it may 
have occurred after an update.

The httpd does not start and aborts with the error

[:info] [pid 15383] Using nickname Server-Cert.
[...] [:error] [pid 15383] Certificate not found: 'Server-Cert'

when I want to start FreeIPA via "systemctl start ipa" or "ipactl start" 
or "systemctl start httpd"

If I turn the NSSEngine off it starts of cause.

In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n 
Server-Cert" does find a certificate, if I get the output [1] right.


ipa-server-upgrade also complained about the HTTPD not starting, so I 
tried to run it with "NSSEnigne off" which made the upgrade run through, 
but did not fix the problem with the HTTPd


My System:
(After running "ipa-server-upgrade" with out any failures, but with 
"NSSEngine off")


# ipa --version
VERSION: 4.4.4, API_VERSION: 2.215

on Fedora Server 26

CA-Server at main IPA-Server (which is failing now)

/etc/hosts has got the fqdn in the first line
and DNS is not installed.


[1] # ipa-getcert list -d /etc/httpd/alias/ -n Server-Cert
Number of certificates and requests being tracked: 8.
Request ID '20160718102648':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa_server.example.com,O=EXAMPLE.COM
expires: 2018-03-24 14:33:00 CET
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


Many thanks in advance,

Julian
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org