Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
On 8/16/2016 11:09 AM, Alexander Bokovoy wrote: On Tue, 16 Aug 2016, Zarko Dudic wrote: Thanks Rob. This command creates the CSR. # ipa-server-install --subject 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca And verification with command : # openssl req -in /root/ipa.csr -noout -text ... shows "Subject: C=US, ST=California, L=Town, O=Corporation, OU=CorpArch, CN=Certificate Authority" Since the CN is unconfigurable, how it's expected to be signed by 3rd party external CA, they usually want to see FQDN. This is not a certificate signing request for a host-based certificate. This is a certificate signing request for a CA root certificate. It is unlikely that you will get it signed by a public CA because that signature basically makes your IPA CA a sub-CA. Hi Alexander, It makes sense what you say here, I was trying this because the doc "Linux Domain Identity, Authentication, and Policy Guide" in the " 2.3.2. Determining What CA Configuration to Use" reads: An external CA is the root CA The Certificate System CA is subordinate to an external CA. However, all certificates for the IdM domain are still issued by the Certificate System instance. The external CA can be a corporate CA or a third-party CA, such as Verisign or Thawte. The certificates issued within the IdM domain are potentially subject to restrictions set by the external root CA for attributes like the validity period. This is quite different from signing a server certificate. --external-ca option is provided to allow your IPA CA to be a sub-ca for a corporate CA. I don't know any publicly available CA that could actually sign it for you. -- Thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unknown Error - error (pop-up) window
Hi all, IPA version: ipa-server-4.2.0-15.0.1.el7_2.18.x86_64 Kernel: 3.8.13-118.10.2.el7uek.x86_64 I start seeing pop-up window titled "Unknown Error" with message "error" and buttons Retry and Cancel. It happens when selecting almost anything on the Web interface, from Identity to IPA Server. Certainly changes have been made, like adding identities, adding certs in nssdb, but can't think of anything that can cause such error. And when errors happen, no new logs in /var/log/httpd both access and error logs. Also no new logs in /var/log/dirsrv/slapd-REALM/ For starter, can you please suggest any troubleshooting steps and other logs to query. -- Thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Thanks Rob. This command creates the CSR. # ipa-server-install --subject 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca And verification with command : # openssl req -in /root/ipa.csr -noout -text ... shows "Subject: C=US, ST=California, L=Town, O=Corporation, OU=CorpArch, CN=Certificate Authority" Since the CN is unconfigurable, how it's expected to be signed by 3rd party external CA, they usually want to see FQDN. Can you please provide more details (or ref URL) about "right CA extensions". Thanks in advance. On 8/16/2016 9:04 AM, Rob Crittenden wrote: Zarko Dudic wrote: Hi all, I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with External CA as the Root CA. Here are details. 1) Run "ipa-server-install --external-ca", and send .csr to be signed by External CA, but VeriSign rejects signing this since info like Organization, OU, L, ST, C are missing. I seriously doubt Verisign will issue this certificate regardless of format. Don't confuse a CA signing certificate with a server certificate. But who knows. Try the --subject-base option to ipa-server-install but note that the CN is currently unconfigurable, it will always be cn=Certificate Authority. 2) Okay, so I try this workaround, create cert request manually with command: # certutil -R -d /tmp -a -g 2048 -s 'CN=,OU=,O=,L=,ST=California,C=US' This will never work. Besides the fact that you didn't request a certificate with the right CA extensions, the private key that generated the CSR is now in a place that dogtag will never find it. This is unrelated to the error below but it would blow up eventually. 3) I verify request via https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp (looks good) 4) Now VeriSign accepts .csr and I receive the certificate (.cer file) via email. 5) I also download two additional certs for trust chain, one is VeriSign's public primary root CA and the second one is Company's itermediate CA, both (.pem files) 6) Now the problem begins, run the comamnd: # ipa-server-install --external-cert-file=/tmp/freeipa.cer --external-cert-file=/tmp/Company_CA_G2.pem --external-cert-file=/tmp/VeriSign_Root_CA.pem -vv If memory serves IPA knows what the subject of it's CA should look like (remember subject-base?) and it isn't finding it and blowing up. rob -- Thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Hi all,
I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.
1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.
2) Okay, so I try this workaround, create cert request manually with
command:
# certutil -R -d /tmp -a -g 2048 -s
'CN=,OU=,O=,L=,ST=California,C=US'
3) I verify request via
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
(looks good)
4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
via email.
5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)
6) Now the problem begins, run the comamnd:
# ipa-server-install --external-cert-file=/tmp/freeipa.cer
--external-cert-file=/tmp/Company_CA_G2.pem
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv
One of screen messages are:
ipa : DEBUGstderr=
ipa : DEBUGStarting external process
ipa : DEBUGargs='/usr/bin/certutil' '-d' '/tmp/tmplsusxY'
'-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority -
G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign
Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'
ipa : DEBUGProcess finished, return code=0
ipa : DEBUGstdout=
ipa : DEBUGstderr=
ipa.ipapython.install.cli.install_tool(Server): DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 279, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 288, in validate
for nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 517, in _configure
validator.next()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1612, in main
install_check(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 263, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 601, in install_check
ca.install_check(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
69, in install_check
options.external_cert_files, options.subject)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 1016, in load_external_cert
"IPA CA certificate not found in %s" % (", ".join(files)))
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: ScriptError: IPA CA
certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
