Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) (SOLVED)

2016-07-06 Thread Bjarne Blichfeldt 
The solution was to add to root certificate to tomcat:  
/var/lib/pki/pki-tomcat/alias/
Now everything seems to work.


Regards
Bjarne



From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bjarne Blichfeldt
Sent: 23. juni 2016 13:40
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again)

Following this thread from January:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
I am trying to accomplish the same, but seems to be stuck.

My environment is:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# ipa ping
---
IPA server version 4.2.0. API version 2.156
---
# rpm -qa | grep ipa-server
ipa-server-4.2.0-15.el7_2.15.x86_64


As the OP I have both a RootCA and a subCA. But I can't figure out how to 
install them. ipa-cacert-manage does not work, known bug.

I am testing by changing the server certificate for ldaps on an ipa replica and 
then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa 
against the replica, but the replica server certificate is never accepted due 
to missing root certificate.

The problem is how to install the root certificates.
I have tried:
Copy the root certificates to /etc/pki/ca-trust/source/anchors and run 
update-ca-trust - no go.

Installed the root Ca's in all the nssdb I could think of:
DIR="/etc/httpd/alias  /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb  
/etc/pki/nssdb"
for dir in $DIR ; do
certutil -d $dir -A -n ECBsubCA  -i subCA-sha256.pem  -t CT,T,T
certutil -d $dir -A -n ECBrootCA  -i rootCA-sha256.pem -t CT,T,T
done

Also no go.

I am out of ideas now.


--
Regards,
Bjarne

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again)

2016-06-23 Thread Bjarne Blichfeldt 
Following this thread from January:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
I am trying to accomplish the same, but seems to be stuck.

My environment is:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# ipa ping
---
IPA server version 4.2.0. API version 2.156
---
# rpm -qa | grep ipa-server
ipa-server-4.2.0-15.el7_2.15.x86_64


As the OP I have both a RootCA and a subCA. But I can't figure out how to 
install them. ipa-cacert-manage does not work, known bug.

I am testing by changing the server certificate for ldaps on an ipa replica and 
then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa 
against the replica, but the replica server certificate is never accepted due 
to missing root certificate.

The problem is how to install the root certificates.
I have tried:
Copy the root certificates to /etc/pki/ca-trust/source/anchors and run 
update-ca-trust - no go.

Installed the root Ca's in all the nssdb I could think of:
DIR="/etc/httpd/alias  /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb  
/etc/pki/nssdb"
for dir in $DIR ; do
certutil -d $dir -A -n ECBsubCA  -i subCA-sha256.pem  -t CT,T,T
certutil -d $dir -A -n ECBrootCA  -i rootCA-sha256.pem -t CT,T,T
done

Also no go.

I am out of ideas now.


--
Regards,
Bjarne

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-04-26 Thread Bjarne Blichfeldt 
This is a follow-up to 
https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html

From: Jan Cholasta 
   Peter Pakos , freeipa-users redhat 
com
My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?


1. Install the CA certificate chain of the issuer of the 3rd party certificate 
to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA configuration.

3. Manually import the server certificate into the /etc/dirsrv/slapd-REALM NSS 
database, configure the correct nickname in LDAP in the nsSSLPersonalitySSL 
attribute of cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS 
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf using 
the NSSNickname directive and restart httpd.


I am in a similar situation and have some follow-up questions:

ad1:  If I run ipa-cacert-manage install 
--external-cert-file=/path/to/external_ca_certificate-chain, does this simply 
add the chain as an extra root ca without destroying the existing ipa-ca?

ad3: I assume the import is : certutil -A -d /etc/dirsrv/slapd-REALM.  How do I 
configure the ldap attribute?
Is it just a matter of make the change in /etc/dirsrv/ldap*/dse.ldif  and 
restart?

Also:
Where is the private key in all this?  I generate a csr with openssl, send csr 
to ca, receive certificate, but I don't see any option in certutil to specify 
the private key. I did find an instruction in importing pkcs12 into nssdb, is 
this what is meant here?


Our setup:
  4 ipa servers, rhel7.2,  ipa ping ="IPA server version 4.2.0. API version 
2.156"
  mix of rhel6 (ipa-client 3.0.xx) and rhel7.1 (ipa-client 4.1.xx),







Regards,
Bjarne Blichfeldt




















[cid:image002.png@01D19FCC.DE1B7060]

JN Data A/S

*

Havsteensvej 4

*

4000 Roskilde


Telefon 63 63 63 63/ Fax 63 63 63 64


www.jndata.dk


[cid:image004.png@01D19FCC.DE1B7060]
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-24 Thread Peter Pakos 

Hi,

I now have 3rd party SSL certificate successfully installed for LDAP and 
HTTP but I'm having issues with joining new clients to FreeIPA servers.


When I run "ipa-client-install --mkhomedir" on Centos 6 machine I get 
the following error:


"Joining realm failed: libcurl failed to execute the HTTP POST 
transaction.  Peer certificate cannot be authenticated with known CA 
certificates"


/var/log/ipaclient-install.log shows:

"2016-01-24T22:06:26Z ERROR Joining realm failed: libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be 
authenticated with known CA certificates"


I was under the impression that the 3rd party certificate's chain will 
be included in the CA certificate that the client gets from the servers 
and that it will successfully join the realm.


I specified the root certificate using --ca-cert-file= option and the 
install completed OK but is this really necessary? I do hope there is a 
better solution.


Many thanks.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-18 Thread Jan Cholasta 

On 18.1.2016 09:07, Martin Kosek wrote:

On 01/15/2016 05:34 PM, Peter Pakos wrote:

On 15/01/2016 15:55, Rob Crittenden wrote:

I've re-run ipa-certupdate in verbose mode and I could see that it
removes all certificates in different databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
from /etc/pki/pki-tomcat/alias).


Yup, looks like this part is missing. Perhaps the assumption was that
the CA would be authoritative in this regard.


Is this a bug? Should this be logged somewhere so it can be looked into?


Yes, .




Updating the CA certs you'd want to add them to LDAP, replacing the
older ones, and then ipa-certupdate will do the rest. You'd need to run
this on all clients and servers.


This sounds like a lot of manual work will be involved when it comes to renewal.

And without clear and up-to-date information and possibly step-by-step
instructions the effort needed to get this sorted is doubled.

Please note that it took us many hours to get a 3rd party SSL certificate
installed (you would think a very simple task). And the truth is that without
this mailing list and #freeipa channel we would still be stuck trying to get to
the bottom of this.



CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?


There's  for automatic CA 
certificate distribution and 
 and 
 for 
ipa-server-certinstall fixes.


If there's anything missing, pleaes file a new ticket.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-18 Thread Martin Kosek 
On 01/15/2016 05:34 PM, Peter Pakos wrote:
> On 15/01/2016 15:55, Rob Crittenden wrote:
>>> I've re-run ipa-certupdate in verbose mode and I could see that it
>>> removes all certificates in different databases (/etc/httpd/alias,
>>> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
>>> from /etc/pki/pki-tomcat/alias).
>>
>> Yup, looks like this part is missing. Perhaps the assumption was that
>> the CA would be authoritative in this regard.
> 
> Is this a bug? Should this be logged somewhere so it can be looked into?
> 
>> Updating the CA certs you'd want to add them to LDAP, replacing the
>> older ones, and then ipa-certupdate will do the rest. You'd need to run
>> this on all clients and servers.
> 
> This sounds like a lot of manual work will be involved when it comes to 
> renewal.
> 
> And without clear and up-to-date information and possibly step-by-step
> instructions the effort needed to get this sorted is doubled.
> 
> Please note that it took us many hours to get a 3rd party SSL certificate
> installed (you would think a very simple task). And the truth is that without
> this mailing list and #freeipa channel we would still be stuck trying to get 
> to
> the bottom of this.
> 

CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-18 Thread Peter Pakos 

On 18/01/2016 08:15, Jan Cholasta wrote:

CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?


There's  for automatic CA
certificate distribution and
 and
 for
ipa-server-certinstall fixes.

If there's anything missing, pleaes file a new ticket.


I think that covers everything.

Thank you.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-15 Thread Rob Crittenden 
Peter Pakos wrote:
> On 14/01/2016 18:51, Rob Crittenden wrote:
>> You need to add the new root certs to the pki NSS database.
> 
> As far as I can see those 3 new CA certs are already in the database
> (unless you're talking about a different db):
> 
> $ certutil -d /etc/pki/nssdb/ -L
> 
> Certificate Nickname Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> IPA.WANDISCO.COM IPA CA  CT,C,C
> AddTrust ,,
> USERTrustRSAAddTrustCA   ,,
> GandiStandardSSLCA2  ,,
> 
> Please advise.
> 

Discussed in IRC last night but for the sake of history, he needed to
add the CA's to the dogtag NSS database in
/var/lib/pki/pki-tomcat/alias/ with a trust of C,,.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-15 Thread Peter Pakos 

On 15/01/2016 15:04, Rob Crittenden wrote:

Discussed in IRC last night but for the sake of history, he needed to
add the CA's to the dogtag NSS database in
/var/lib/pki/pki-tomcat/alias/ with a trust of C,,.


Yes, I added new root certificates to /etc/pki/pki-tomcat/alias and I 
was able to start all services.


I've noticed that ipa-certupdate command removes them and we're back to 
square one. Why is it doing this? Which database is it retrieving 
certificates from?


I've re-run ipa-certupdate in verbose mode and I could see that it 
removes all certificates in different databases (/etc/httpd/alias, 
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart 
from /etc/pki/pki-tomcat/alias).


Also, what is the correct process for renewing 3rd party certificate? 
Will it be pushed automatically to all servers/clients? I don't want to 
be in trouble when it comes to renewing it.


Thanks.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-15 Thread Rob Crittenden 
Peter Pakos wrote:
> On 15/01/2016 15:04, Rob Crittenden wrote:
>> Discussed in IRC last night but for the sake of history, he needed to
>> add the CA's to the dogtag NSS database in
>> /var/lib/pki/pki-tomcat/alias/ with a trust of C,,.
> 
> Yes, I added new root certificates to /etc/pki/pki-tomcat/alias and I
> was able to start all services.
> 
> I've noticed that ipa-certupdate command removes them and we're back to
> square one. Why is it doing this? Which database is it retrieving
> certificates from?

>From LDAP. It is dropping current certs and replacing them with those in
the NSS database.

> I've re-run ipa-certupdate in verbose mode and I could see that it
> removes all certificates in different databases (/etc/httpd/alias,
> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
> from /etc/pki/pki-tomcat/alias).

Yup, looks like this part is missing. Perhaps the assumption was that
the CA would be authoritative in this regard.

> Also, what is the correct process for renewing 3rd party certificate?
> Will it be pushed automatically to all servers/clients? I don't want to
> be in trouble when it comes to renewing it.

There are two things here: the server certificates and the CA certificates.

In both cases you are on your own in doing this for now, you won't get
any notification of impending expiration unless your issuing CA tells you.

For the server certificates renewal depends on your CA but usually
involves resubmitting the original CSR and getting an updated
certificate. You then take that to your IPA servers and install that
updated certificate. You should be able to do this with certutil. This
only affects the IPA masters.

Updating the CA certs you'd want to add them to LDAP, replacing the
older ones, and then ipa-certupdate will do the rest. You'd need to run
this on all clients and servers.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-15 Thread Peter Pakos 

On 15/01/2016 15:55, Rob Crittenden wrote:

I've re-run ipa-certupdate in verbose mode and I could see that it
removes all certificates in different databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
from /etc/pki/pki-tomcat/alias).


Yup, looks like this part is missing. Perhaps the assumption was that
the CA would be authoritative in this regard.


Is this a bug? Should this be logged somewhere so it can be looked into?


Updating the CA certs you'd want to add them to LDAP, replacing the
older ones, and then ipa-certupdate will do the rest. You'd need to run
this on all clients and servers.


This sounds like a lot of manual work will be involved when it comes to 
renewal.


And without clear and up-to-date information and possibly step-by-step 
instructions the effort needed to get this sorted is doubled.


Please note that it took us many hours to get a 3rd party SSL 
certificate installed (you would think a very simple task). And the 
truth is that without this mailing list and #freeipa channel we would 
still be stuck trying to get to the bottom of this.


--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-14 Thread Peter Pakos 

On 04/01/2016 12:44, Jan Cholasta wrote:

1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"


I have a wildcard SSL certificate from Gandi, the whole certificate 
chain looks like this:


AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem -> 
star.ipa.wandisco.com.crt


I can validate this chain by running:

$ openssl verify -verbose -CAfile <(cat AddTrust.pem 
USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) 
star.ipa.wandisco.com.crt

star.ipa.wandisco.com.crt: OK

I've installed those CA certificates using the following commands (due 
to a known bug with ipa-cacert-manage, as per Jan's recommendation, I 
had to comment out few lines in 
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py 
for this to work):


$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t ,,
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n 
USERTrustRSAAddTrustCA -t ,,
$ ipa-cacert-manage install GandiStandardSSLCA2.pem -n 
GandiStandardSSLCA2 -t ,,


Then I created a PKCS12 certificate out of Wildcard certificate and 
private key:


$ openssl pkcs12 -export -out star.ipa.wandisco.com.p12 -inkey 
star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -name 
'GandiWildcardIPA'


and then installed it in both NSS databases:

$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i 
star.ipa.wandisco.com.p12

$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.p12

I could see the certificates being installed by running:

$ certutil -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -L
$ certutil -d /etc/httpd/alias/ -L

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Cert  u,u,u
IPA.WANDISCO.COM IPA CA  CT,C,C
AddTrust ,,
USERTrustRSAAddTrustCA   ,,
GandiWildcardIPA u,u,u
Signing-Cert u,u,u
GandiStandardSSLCA2  ,,


2. Run "ipa-certupdate" to update CA certificate related IPA configuration.


Done.


3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.


I've stopped IPA (ipactl stop) and edited 
/etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to replace:


nsSSLPersonalitySSL: Server-Cert

for:

nsSSLPersonalitySSL: GandiWildcardIPA


4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.


I've edited /etc/httpd/conf.d/nss.conf and replaced:

NSSNickname Server-Cert

for:

NSSNickname GandiWildcardIPA


Next, I've tried to start IPA (ipactl start) but this failed:

ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl

It seems that pki-tomcatd did not start, so I looked in 
/var/log/pki/pki-tomcat/catalina.log and noticed this (not sure how 
relevant this is): http://fpaste.org/310861/14527938/


/var/log/pki/pki-tomcat/ca/system log shows:

0.localhost-startStop-1 - [14/Jan/2016:17:47:49 UTC] [8] [3] In Ldap 
(bound) connection pool to host node01.ipa.wandisco.com port 636, Cannot 
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error 
creating JSS SSL Socket (-1)


At this stage I can revert LDAP/HTTPS certs' nickname to Server-Cert and 
successfully start IPA.


Using 3rd party certificates for both LDAP and HTTPS is one of the 
requirements of FreeIPA POC I'm working on at the moment and without 
this ironed out we won't be able to take FreeIPA servers into full 
production.


I hope it's just a minor mistake on my behalf and I would appreciate if 
anyone could glance through the above and let me know how I could 
progress this.


Many thanks in advance.

spako @ #freeipa

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-14 Thread Peter Pakos 

On 14/01/2016 18:51, Rob Crittenden wrote:

You need to add the new root certs to the pki NSS database.


As far as I can see those 3 new CA certs are already in the database 
(unless you're talking about a different db):


$ certutil -d /etc/pki/nssdb/ -L

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

IPA.WANDISCO.COM IPA CA  CT,C,C
AddTrust ,,
USERTrustRSAAddTrustCA   ,,
GandiStandardSSLCA2  ,,

Please advise.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-10 Thread Petr Spacek 
On 10.1.2016 22:21, Peter Pakos wrote:
> On 04/01/2016 12:44, Jan Cholasta wrote:
>>> My question is, what is the correct way of installing a 3rd party
>>> certificate for HTTP/LDAP that will actually work?
>>
>> 1. Install the CA certificate chain of the issuer of the 3rd party
>> certificate to IPA using "ipa-cacert-manage install"
>>
>> 2. Run "ipa-certupdate" to update CA certificate related IPA configuration.
>>
>> 3. Manually import the server certificate into the
>> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
>> LDAP in the nsSSLPersonalitySSL attribute of
>> cn=RSA,cn=encryption,cn=config and restart DS.
>>
>> 4. Manually import the server certificate into the /etc/httpd/alias NSS
>> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
>> using the NSSNickname directive and restart httpd.
> 
> Is there any chance you can confirm the exact commands I need to run to
> accomplish the above steps? I don't want to risk breaking our production 
> servers.
> 
> BTW, do we have an up-to-date documentation about this process in FreeIPA 4.2?
> I failed to find one.
> 
> Many thanks in advance.

Hello,

I'm attaching two bash script I used to use Let's Encrypt certificate for IPA
HTTPd. You can take some inspiration out of it, just ignore calls to
"letsencrypt" tool which are there for periodic certificate re-generation.

-- 
Petr^2 Spacek


initial-le-config.sh
Description: application/shellscript


renew.sh
Description: application/shellscript
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-10 Thread Peter Pakos 

On 04/01/2016 12:44, Jan Cholasta wrote:

My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?


1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA configuration.

3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.


Is there any chance you can confirm the exact commands I need to run to 
accomplish the above steps? I don't want to risk breaking our production 
servers.


BTW, do we have an up-to-date documentation about this process in 
FreeIPA 4.2? I failed to find one.


Many thanks in advance.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-04 Thread Jan Cholasta 

Hi Peter,

On 21.12.2015 17:43, Peter Pakos wrote:

Hi,

I tried to install a wildcard SSL certificate for HTTP/LDAP in our
FreeIPA 4.1 (Centos 7.1) installation by following instructions from
wiki page at
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP:


Unfortunately ipa-server-certinstall is currently broken. We plan to fix 
it some day, see  and 
.




# ipa-server-certinstall -w -d shdc01.ipa.wandisco.com.pem
Directory Manager password:
Enter private key unlock password:
Command /usr/bin/certutil' '-d' '/etc/httpd/alias' '-D' '-n'
'Server-Cert returned non-zero exit status 255

After this I was unable to start httpd service, error_log revealed the
following error messages:

[Wed Nov 25 18:15:44.262751 2015] [:error] [pid 22124] Certificate not
found: 'Server-Cert'

In order to resurrect the service I had to change NSSNickname in
/etc/httpd/conf.d/nss.conf to match the new certificate's nickname.

Although the httpd service started, I couldn't get into Authentication
tab in FreeIPA UI - I kept getting the following error message: "Unable
to communicate with CMS (Service Unavailable)".

[root@shdc01 ~]# yum list installed | grep ipa-server
ipa-server.x86_64 4.1.0-18.el7.centos.4 @updates

[root@shdc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

At this point I was forced to restore our FreeIPA installation from a
snapshot as I wasn't able to fix it (I got some useful hints from
#freeipa Freenode channel however we still didn't manage to fully
resurrect the server).

My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?


1. Install the CA certificate chain of the issuer of the 3rd party 
certificate to IPA using "ipa-cacert-manage install"


2. Run "ipa-certupdate" to update CA certificate related IPA configuration.

3. Manually import the server certificate into the 
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in 
LDAP in the nsSSLPersonalitySSL attribute of 
cn=RSA,cn=encryption,cn=config and restart DS.


4. Manually import the server certificate into the /etc/httpd/alias NSS 
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf 
using the NSSNickname directive and restart httpd.




Many thanks in advance.

BTW, I also added a comment describing this problem to the ticket at
https://fedorahosted.org/freeipa/ticket/5496.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-04 Thread Peter Pakos 

Hi Jan,

On 04/01/2016 12:44, Jan Cholasta wrote:


1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA

configuration.


3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.


Would it be the same procedure for FreIPA 4.2 shipped with Centos 7.2?

TIA

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-04 Thread Jan Cholasta 

On 4.1.2016 14:10, Peter Pakos wrote:

Hi Jan,

On 04/01/2016 12:44, Jan Cholasta wrote:


1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA

configuration.


3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.


Would it be the same procedure for FreIPA 4.2 shipped with Centos 7.2?


Yes.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project