Re: [Freeipa-users] 3rd party Cert install now IPA total broken
On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote:
Hello.
Thanks for the first help,
Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
Hello,
Freeipa 4.3.1
I have now install a 3rd Party Certificat from Startcom now my IPA is
total
broken?
ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install
root.crt
I mean this is the wrong cert I installed :-(.
Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")
Hi,
ipa-cacert-manage install *adds* the CA certificate to the list of CA
certs (it does not replace the CA cert), meaning that it can be run
multiple times with different certificates. After this step, you can
find all your CA certificates in the ldap server, below
cn=certificates,cn=ipa,cn=etc,$BASEDN
So in your case, you can re-run this command, this time with the right
CA cert. Then do not forget to run ipa-certupdate on all the ipa
replicas/clients in order to install the new CA cert on the relevant NSS
databases. It is important to run ipa-certupdate before IPA services are
restarted with the new certs (otherwise ipa-certupdate cannot contact
the LDAP server to download the new certificates).
If you forgot to run ipa-certupdate on the clients, I guess you can fix
this by installing the new CA cert in /etc/ipa/nssdb with C,, flags.
HTH,
Flo
ipa-certupdate
ipa-server-certinstall -w -d ipa_3rd_ca.p12
This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxx
I create this p12 with key.pem, cert.pem root.crt
now i create a new p12 with I hope the correct certs
I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.
This p12 I Installed on the first master with
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W x
I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
/dsl.ldif
Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT
afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Why is ipa-ods-exporter Service always STOPPED ??
The next I Test a login on the Web UI from IPA, this is now also working ;-)
the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).
Have I to repeat this all on the second Master ?
and what is the correct way to inform the clients ?
Thanks again for a answer,
Hi,
there were some issues with ipa-server-certinstall (see tickets #4785,
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS
DBs for Apache and the LDAP server (/etc/httpd/alias,
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with
flags C,, (= the one contained in root.rt)
Then you can also check if the nickname for the server cert is properly
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
nsSSLPersonalitySSL).
If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
provide more information.
Also note that it is important to run ipa-certupdate on all the clients
and replicas in order to install the new certificates in the NSS DBs
*before* you run ipa-server-certinstall.
Hope this helps,
Flo.
the kerberos don't start anymore ?
The Error Is
Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
realm>
'4GJN.COM'
after insert in nss.conf
"NSSEnforceValidCerts off"
ipactl restart is starting (?) but
ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
with certutil -d /etc/httpd/alias -L I
Re: [Freeipa-users] 3rd party Cert install now IPA total broken
Hello.
Thanks for the first help,
Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
> On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > Freeipa 4.3.1
> >
> > I have now install a 3rd Party Certificat from Startcom now my IPA is
> > total
> > broken?
> > ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install
> > root.crt
I mean this is the wrong cert I installed :-(.
Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")
> > ipa-certupdate
> >
> > ipa-server-certinstall -w -d ipa_3rd_ca.p12
This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxx
> > I create this p12 with key.pem, cert.pem root.crt
now i create a new p12 with I hope the correct certs
I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.
This p12 I Installed on the first master with
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W x
I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
/dsl.ldif
Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT
afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Why is ipa-ods-exporter Service always STOPPED ??
The next I Test a login on the Web UI from IPA, this is now also working ;-)
the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).
Have I to repeat this all on the second Master ?
and what is the correct way to inform the clients ?
Thanks again for a answer,
> Hi,
>
> there were some issues with ipa-server-certinstall (see tickets #4785,
> #4786 and #6263).
> In order to check your configuration, you must make sure that the NSS
> DBs for Apache and the LDAP server (/etc/httpd/alias,
> /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
> - the server certificate with flags u,u,u (= the one contained in
> ipa_3rd_ca.p12)
> - the certificate of the CA which signed the server certificate, with
> flags C,, (= the one contained in root.rt)
>
> Then you can also check if the nickname for the server cert is properly
> set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
> the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
> nsSSLPersonalitySSL).
>
> If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
> provide more information.
>
> Also note that it is important to run ipa-certupdate on all the clients
> and replicas in order to install the new certificates in the NSS DBs
> *before* you run ipa-server-certinstall.
>
> Hope this helps,
> Flo.
>
> > the kerberos don't start anymore ?
> > The Error Is
> >
> > Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
> > realm>
> > '4GJN.COM'
> >
> > after insert in nss.conf
> > "NSSEnforceValidCerts off"
> >
> > ipactl restart is starting (?) but
> >
> > ipactl status tell me
> > Directory Service: RUNNING
> > krb5kdc Service: RUNNING
> > kadmin Service: RUNNING
> > named Service: RUNNING
> > ipa_memcached Service: RUNNING
> > httpd Service: RUNNING
> > ipa-custodia Service: RUNNING
> > pki-tomcatd Service: RUNNING
> > ipa-otpd Service: RUNNING
> > ipa-ods-exporter Service: STOPPED
> > ods-enforcerd Service: RUNNING
> > ipa-dnskeysyncd Service: RUNNING
> > ipa: INFO: The ipactl command was successful
> >
> > with certutil -d /etc/httpd/alias -L I have now this
> > Certificate Nickname Trust
> > Attributes>
> > SSL,S/MIME,JA
> > R/XPI
> >
> > Signing-Cert u,u,u
> > 4GJN_CA_FILE u,u,u
> > ipaCert u,u,u
> > 4GJN.COM IPA CA CT,C,C
> > STARTCOM-ROOTC,,
> >
> > I can Insert in nss.conf by the
> > #NSSNickname "Signing-Cert" original
> > or
> >
Re: [Freeipa-users] 3rd party Cert install now IPA total broken
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt Hi, there were some issues with ipa-server-certinstall (see tickets #4785, #4786 and #6263). In order to check your configuration, you must make sure that the NSS DBs for Apache and the LDAP server (/etc/httpd/alias, /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain: - the server certificate with flags u,u,u (= the one contained in ipa_3rd_ca.p12) - the certificate of the CA which signed the server certificate, with flags C,, (= the one contained in root.rt) Then you can also check if the nickname for the server cert is properly set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute nsSSLPersonalitySSL). If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may provide more information. Also note that it is important to run ipa-certupdate on all the clients and replicas in order to install the new certificates in the NSS DBs *before* you run ipa-server-certinstall. Hope this helps, Flo. the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOTCT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3rd party Cert install now IPA total broken
Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOTCT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
