[Freeipa-users] Re: problem installing 3rd party(trusted cert)

2017-09-01 Thread Florence Blanc-Renaud via FreeIPA-users 

On 08/30/2017 08:26 PM, Rob Morin wrote:

I ran this command firstly:

The G2 root CA from Geotrust website..

[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt -t C,, 
install root_ca.crt

Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful


Then, I ran

[root@auth-1 certs]# ipa-certupdate
trying https://auth-1.domain.com/ipa/session/json
Forwarding 'ca_is_enabled' to json server 
'https://auth-1.domain.com/ipa/session/json'
Forwarding 'ca_find/1' to json server 
'https://auth-1.domain.com/ipa/session/json'

Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


Then i ran this command with intermediate cert..

[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt_bundle -t 
C,, install star_domain_com_bundle.crt

Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's 
Certificate issuer is not recognized. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

The ipa-cacert-manage command failed.

The intermediate cert only has one cert in it

SO i have 4 files;
Intermediate cert:  star_domain_bundle.crt
Real cert :  star_domain.crt
Key :  star_domain.key

I did try various combinations

cat star_domain_bundle.crt star_domain.crt >star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt > star_domain_combined.crt
cat root_ca.crt star_domain.crt star_domain_bundle.crt > 
star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt root_ca.crt star > 
star_domain_combined.crt

and so on...

Then i tried adding each one of those with the same command mentioned 
above, no go


What do i do now?
Thanks!



Hi

(putting the mailing back in the recipients lsit)
can you run ipa-cacert-manage install with the -v option and post the 
output? We will be able to see which certificates are already trusted 
and can be downloaded from LDAP.


Also, which IPA version are you using? Is your machine in SElinux 
enforcing mode?


Flo




On Mon, Aug 28, 2017 at 10:30 AM, Florence Blanc-Renaud > wrote:


On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote:

Hello all...

So i have a wildcard cert from geotrust.
I am running freeipa V4.4 fresh install no users yet
I downloaded and installed their  GeoTrust Primary Certification
Authority root cert from here  -->
https://www.geotrust.com/resources/root-certificates/

I ran this command to import it...

ipa-cacert-manage -p password -n httpcrt -t C,, install root_ca.crt

I get back this ;

Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
Then i go to install just the http cert for freeipa as dictated
by company policy

Then I run this...

ipa-certupdate

Then i go to add the cert like this...

ipa-server-certinstall -w star_domain_com.key star_domain_com.crt
Directory Manager password:
Enter private key unlock password:

I get this back

The full certificate chain is not present in
star_domain_com.key, star_domain_com.crt
The ipa-server-certinstall command failed.

So I combined the bundle and cert into one file, still a no go ,
i tried bot ways cert first then bundle, and bundle first then
cert, still a no go.
Any ideas?

Thanks..
___
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org


Hi,

is your http cert directly signed by the CA root_ca.crt, or does the
cert chain contain additional certificates? In the latter case, you
need to add each intermediate certificate with ipa-cacert-manage +
ipa-certupdate before running ipa-server-certinstall.

HTH,
Flo




--

--

Rob Morin
Montreal, Canada

The Lounge Sound - Music to drink by - Vegas Style!

http://www.theloungesound.ca

"You're not drunk until you can't lie on the floor without holding on"
Dean Martin



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: problem installing 3rd party(trusted cert)

2017-08-28 Thread Florence Blanc-Renaud via FreeIPA-users 

On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote:

Hello all...

So i have a wildcard cert from geotrust.
I am running freeipa V4.4 fresh install no users yet
I downloaded and installed their  GeoTrust Primary Certification Authority root 
cert from here  --> https://www.geotrust.com/resources/root-certificates/
I ran this command to import it...

ipa-cacert-manage -p password -n httpcrt -t C,, install root_ca.crt

I get back this ;

Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
Then i go to install just the http cert for freeipa as dictated by company 
policy

Then I run this...

ipa-certupdate

Then i go to add the cert like this...

ipa-server-certinstall -w star_domain_com.key star_domain_com.crt
Directory Manager password:
Enter private key unlock password:

I get this back

The full certificate chain is not present in star_domain_com.key, 
star_domain_com.crt
The ipa-server-certinstall command failed.

So I combined the bundle and cert into one file, still a no go , i tried bot 
ways cert first then bundle, and bundle first then cert, still a no go.
Any ideas?

Thanks..
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

is your http cert directly signed by the CA root_ca.crt, or does the 
cert chain contain additional certificates? In the latter case, you need 
to add each intermediate certificate with ipa-cacert-manage + 
ipa-certupdate before running ipa-server-certinstall.


HTH,
Flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org