Re: [Freeipa-users] 3rd party Cert install now IPA total broken
On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote: Hello. Thanks for the first help, Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud: On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt I mean this is the wrong cert I installed :-(. Is it possible to overwrite or delete and make it new. this file is the ROOT-CA from STARTCOM ("30 Years") Hi, ipa-cacert-manage install *adds* the CA certificate to the list of CA certs (it does not replace the CA cert), meaning that it can be run multiple times with different certificates. After this step, you can find all your CA certificates in the ldap server, below cn=certificates,cn=ipa,cn=etc,$BASEDN So in your case, you can re-run this command, this time with the right CA cert. Then do not forget to run ipa-certupdate on all the ipa replicas/clients in order to install the new CA cert on the relevant NSS databases. It is important to run ipa-certupdate before IPA services are restarted with the new certs (otherwise ipa-certupdate cannot contact the LDAP server to download the new certificates). If you forgot to run ipa-certupdate on the clients, I guess you can fix this by installing the new CA cert in /etc/ipa/nssdb with C,, flags. HTH, Flo ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 This was wrong, I delete all this installed certs with Certutil -d . -D -n xxx I create this p12 with key.pem, cert.pem root.crt now i create a new p12 with I hope the correct certs I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and my wild-card Certificate this I included in my new created p12 with my key.pem. This p12 I Installed on the first master with pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -W pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k /etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxx and pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k /etc/pki/pki-tomcat/pwdfile.txt -W x I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd- /dsl.ldif Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name STARTCOM-ROOT to certutil -d . -M -t C,, -n STARCOM-ROOT afterward I make a reboot and a test ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Why is ipa-ods-exporter Service always STOPPED ?? The next I Test a login on the Web UI from IPA, this is now also working ;-) the QUESTION is now what is with the second master and the IPA- clients Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I know it :-). Have I to repeat this all on the second Master ? and what is the correct way to inform the clients ? Thanks again for a answer, Hi, there were some issues with ipa-server-certinstall (see tickets #4785, #4786 and #6263). In order to check your configuration, you must make sure that the NSS DBs for Apache and the LDAP server (/etc/httpd/alias, /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain: - the server certificate with flags u,u,u (= the one contained in ipa_3rd_ca.p12) - the certificate of the CA which signed the server certificate, with flags C,, (= the one contained in root.rt) Then you can also check if the nickname for the server cert is properly set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute nsSSLPersonalitySSL). If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may provide more information. Also note that it is important to run ipa-certupdate on all the clients and replicas in order to install the new certificates in the NSS DBs *before* you run ipa-server-certinstall. Hope this helps, Flo. the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm> '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I
Re: [Freeipa-users] 3rd party Cert install now IPA total broken
Hello. Thanks for the first help, Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud: > On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: > > Hello, > > Freeipa 4.3.1 > > > > I have now install a 3rd Party Certificat from Startcom now my IPA is > > total > > broken? > > ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install > > root.crt I mean this is the wrong cert I installed :-(. Is it possible to overwrite or delete and make it new. this file is the ROOT-CA from STARTCOM ("30 Years") > > ipa-certupdate > > > > ipa-server-certinstall -w -d ipa_3rd_ca.p12 This was wrong, I delete all this installed certs with Certutil -d . -D -n xxx > > I create this p12 with key.pem, cert.pem root.crt now i create a new p12 with I hope the correct certs I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and my wild-card Certificate this I included in my new created p12 with my key.pem. This p12 I Installed on the first master with pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -W pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k /etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxx and pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k /etc/pki/pki-tomcat/pwdfile.txt -W x I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd- /dsl.ldif Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name STARTCOM-ROOT to certutil -d . -M -t C,, -n STARCOM-ROOT afterward I make a reboot and a test ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Why is ipa-ods-exporter Service always STOPPED ?? The next I Test a login on the Web UI from IPA, this is now also working ;-) the QUESTION is now what is with the second master and the IPA- clients Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I know it :-). Have I to repeat this all on the second Master ? and what is the correct way to inform the clients ? Thanks again for a answer, > Hi, > > there were some issues with ipa-server-certinstall (see tickets #4785, > #4786 and #6263). > In order to check your configuration, you must make sure that the NSS > DBs for Apache and the LDAP server (/etc/httpd/alias, > /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain: > - the server certificate with flags u,u,u (= the one contained in > ipa_3rd_ca.p12) > - the certificate of the CA which signed the server certificate, with > flags C,, (= the one contained in root.rt) > > Then you can also check if the nickname for the server cert is properly > set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in > the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute > nsSSLPersonalitySSL). > > If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may > provide more information. > > Also note that it is important to run ipa-certupdate on all the clients > and replicas in order to install the new certificates in the NSS DBs > *before* you run ipa-server-certinstall. > > Hope this helps, > Flo. > > > the kerberos don't start anymore ? > > The Error Is > > > > Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for > > realm> > > '4GJN.COM' > > > > after insert in nss.conf > > "NSSEnforceValidCerts off" > > > > ipactl restart is starting (?) but > > > > ipactl status tell me > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > named Service: RUNNING > > ipa_memcached Service: RUNNING > > httpd Service: RUNNING > > ipa-custodia Service: RUNNING > > pki-tomcatd Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa-ods-exporter Service: STOPPED > > ods-enforcerd Service: RUNNING > > ipa-dnskeysyncd Service: RUNNING > > ipa: INFO: The ipactl command was successful > > > > with certutil -d /etc/httpd/alias -L I have now this > > Certificate Nickname Trust > > Attributes> > > SSL,S/MIME,JA > > R/XPI > > > > Signing-Cert u,u,u > > 4GJN_CA_FILE u,u,u > > ipaCert u,u,u > > 4GJN.COM IPA CA CT,C,C > > STARTCOM-ROOTC,, > > > > I can Insert in nss.conf by the > > #NSSNickname "Signing-Cert" original > > or > >
Re: [Freeipa-users] 3rd party Cert install now IPA total broken
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt Hi, there were some issues with ipa-server-certinstall (see tickets #4785, #4786 and #6263). In order to check your configuration, you must make sure that the NSS DBs for Apache and the LDAP server (/etc/httpd/alias, /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain: - the server certificate with flags u,u,u (= the one contained in ipa_3rd_ca.p12) - the certificate of the CA which signed the server certificate, with flags C,, (= the one contained in root.rt) Then you can also check if the nickname for the server cert is properly set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute nsSSLPersonalitySSL). If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may provide more information. Also note that it is important to run ipa-certupdate on all the clients and replicas in order to install the new certificates in the NSS DBs *before* you run ipa-server-certinstall. Hope this helps, Flo. the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOTCT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3rd party Cert install now IPA total broken
Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOTCT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project