Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Jakub Hrozek]

On Thu, Sep 29, 2016 at 10:03:08PM -0400, beeth beeth wrote:
> Thanks Florence and Rob! The replica worked after adding the certs during
> the replica preparation.
> 
> Now I got several IPA clients installed with user authentication(ssh login
> with the users in IPA) working after some work. However, one of them failed
> during login with the following messages in syslog:
> 
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Credentials cache
> permissions incorrect

This is RHEL-7, right? Then I'm not sure why would ccache permissions be
incorrect, maybe except for an SELinux issue.. (you are using the KEYRING
ccache, right?)

> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
> check failed
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
> check failed

These two mean a wrong password was supplied.

You can enable sssd debugging and take a look into krb5_child.log. If
you crank up the debug_level all the way up to 10, then you'll also see
KRB5_TRACE-level messages..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[beeth beeth]

Thanks Florence and Rob! The replica worked after adding the certs during
the replica preparation.

Now I got several IPA clients installed with user authentication(ssh login
with the users in IPA) working after some work. However, one of them failed
during login with the following messages in syslog:

Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Credentials cache
permissions incorrect
Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
check failed
Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
check failed

I tried this on ipaclient3:
# kinit admin
# ipa-getkeytab -s ipa1.example.com -p host/ipaclient3.example.com -k
/etc/krb5.keytab
No help.

I also tried this on ipaclient3(which I don't think is relevant to the krb5
error):
# wget -O /etc/ipa/ca.crt https://ipa1.example.com/ipa/config/ca.crt
# certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt

Any idea about such krb5 issue? Thanks again!



On Thu, Sep 29, 2016 at 9:36 AM, Florence Blanc-Renaud 
wrote:

> On 09/29/2016 02:12 PM, Rob Crittenden wrote:
>
>> beeth beeth wrote:
>>
>>> Hi Florence,
>>>
>>> I previously tried option a) and failed(need to find out why later), but
>>> I was able to successfully reinstall the server and the client with
>>> option b), thanks a lot! So when it says "Installing Without a CA", it
>>> means without a "embeded CA"(the IPA's own CA), is that right?
>>>
>>> Another main problem comes up for option b): now I am going to install
>>> the replica server(ipa2), if I do the same as I did before:
>>>
>>> [root@ipa1 ~]# ipa-replica-prepare ipa2.example.com
>>> 
>>>
>>> copy the gpg file from ipa1 to ipa2
>>>
>>> [root@ipa2 ~]# ipa-replica-install
>>> /var/lib/ipa/replica-info-ipa2.example.com.gpg
>>>
>>> Then I believe the Apache on ipa2(the replica server) will use the
>>> Verisign certificate with the same hostname(DN): ipa1.example.com
>>> , NOT ipa2.example.com
>>> , hence the users who visit
>>> https://ipa2.example.com will experience security warning from the
>>> browser, as expected...
>>> What could be a solution for this?
>>>
>>> Thanks again!
>>>
>>>
>>> On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud >> > wrote:
>>>
>>> On 09/29/2016 11:43 AM, beeth beeth wrote:
>>>
>>> Thanks for the quick response Florence!
>>>
>>> My goal is the use a 3rd party certificate(such as Verisign
>>> cert) for
>>> Web UI(company security requirement), in fact we are not
>>> required to use
>>> 3rd party certificate for the LDAP server, but as I mentioned
>>> earlier, I
>>> couldn't make the new Verisign cert to work with the Web UI,
>>> without
>>> messing up the IPA function(after I updated the nss.conf to use
>>> the new
>>> cert in the /etc/httpd/alias db, the ipa_client_install failed).
>>> So I
>>> tried to follow the Redhat instruction, to see if I can get the
>>> Verisign
>>> cert installed at the most beginning, without using FreeIPA's
>>> own/default certificate), but I got the CSR question.
>>>
>>> I did install IPA without a CA, by following the instruction at
>>>
>>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>>
>>> >> >,
>>> but failed to restart HTTPD. When and how can I provide the
>>> 3rd-party
>>> certificate? Could you please point me a document about the
>>> detail?
>>>
>>> Hi,
>>>
>>> you need first to clarify if you want FreeIPA to act as a CA or not.
>>> The setup will depend on this choice.
>>>
>>> - option a) FreeIPA with an embedded CA:
>>> you can install FreeIPA with a self-signed CA, then follow the
>>> instructions at
>>>
>>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>>
>>> 
>>> in order to replace the WebUI certificate. Please note that there
>>> were some bugs in ipa-server-certinstall, preventing httpd from
>>> starting (Ticket #4786 [1]). The workaround is to manually update
>>> nss.conf (as you did) and manually import the CA certificate into
>>> /etc/pki/pki-tomcat/alias, for instance with
>>> $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
>>> -t C,,
>>>
>>>
>>> - option b) Free IPA without CA
>>> the installation instructions are in Installing without a CA [2].
>>> You will provide the certificate that will be used by both the LDAP
>>> server and the WebUI in the command options.
>>>
>>
>> You'd need either a separate certificate or one with multiple subject
>> alternative names, one for each master. I also imagine you'd need to
>> 

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Florence Blanc-Renaud]

On 09/29/2016 02:12 PM, Rob Crittenden wrote:

beeth beeth wrote:

Hi Florence,

I previously tried option a) and failed(need to find out why later), but
I was able to successfully reinstall the server and the client with
option b), thanks a lot! So when it says "Installing Without a CA", it
means without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install
the replica server(ipa2), if I do the same as I did before:

[root@ipa1 ~]# ipa-replica-prepare ipa2.example.com


copy the gpg file from ipa1 to ipa2

[root@ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the
Verisign certificate with the same hostname(DN): ipa1.example.com
, NOT ipa2.example.com
, hence the users who visit
https://ipa2.example.com will experience security warning from the
browser, as expected...
What could be a solution for this?

Thanks again!


On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud > wrote:

On 09/29/2016 11:43 AM, beeth beeth wrote:

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign
cert) for
Web UI(company security requirement), in fact we are not
required to use
3rd party certificate for the LDAP server, but as I mentioned
earlier, I
couldn't make the new Verisign cert to work with the Web UI,
without
messing up the IPA function(after I updated the nss.conf to use
the new
cert in the /etc/httpd/alias db, the ipa_client_install failed).
So I
tried to follow the Redhat instruction, to see if I can get the
Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

,
but failed to restart HTTPD. When and how can I provide the
3rd-party
certificate? Could you please point me a document about the
detail?

Hi,

you need first to clarify if you want FreeIPA to act as a CA or not.
The setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP


in order to replace the WebUI certificate. Please note that there
were some bugs in ipa-server-certinstall, preventing httpd from
starting (Ticket #4786 [1]). The workaround is to manually update
nss.conf (as you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
-t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2].
You will provide the certificate that will be used by both the LDAP
server and the WebUI in the command options.


You'd need either a separate certificate or one with multiple subject
alternative names, one for each master. I also imagine you'd need to
provide this certificate at replica preparation time if you've installed
without a CA.

Yes, that's right. You can use the command ipa-replica-prepare with the 
options --dirsrv-cert-file / --dirsrv-pin and --http-cert-file / 
--http-pin to provide the replica's certificate and key. They will be 
embedded in the replica file and used during the replica installation.


Flo.


rob



HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786

[2]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca











--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Rob Crittenden]

beeth beeth wrote:

Hi Florence,

I previously tried option a) and failed(need to find out why later), but
I was able to successfully reinstall the server and the client with
option b), thanks a lot! So when it says "Installing Without a CA", it
means without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install
the replica server(ipa2), if I do the same as I did before:

[root@ipa1 ~]# ipa-replica-prepare ipa2.example.com


copy the gpg file from ipa1 to ipa2

[root@ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the
Verisign certificate with the same hostname(DN): ipa1.example.com
, NOT ipa2.example.com
, hence the users who visit
https://ipa2.example.com will experience security warning from the
browser, as expected...
What could be a solution for this?

Thanks again!


On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud > wrote:

On 09/29/2016 11:43 AM, beeth beeth wrote:

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign
cert) for
Web UI(company security requirement), in fact we are not
required to use
3rd party certificate for the LDAP server, but as I mentioned
earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use
the new
cert in the /etc/httpd/alias db, the ipa_client_install failed).
So I
tried to follow the Redhat instruction, to see if I can get the
Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

,
but failed to restart HTTPD. When and how can I provide the
3rd-party
certificate? Could you please point me a document about the detail?

Hi,

you need first to clarify if you want FreeIPA to act as a CA or not.
The setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

in order to replace the WebUI certificate. Please note that there
were some bugs in ipa-server-certinstall, preventing httpd from
starting (Ticket #4786 [1]). The workaround is to manually update
nss.conf (as you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
-t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2].
You will provide the certificate that will be used by both the LDAP
server and the WebUI in the command options.


You'd need either a separate certificate or one with multiple subject 
alternative names, one for each master. I also imagine you'd need to 
provide this certificate at replica preparation time if you've installed 
without a CA.


rob



HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786

[2]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[beeth beeth]

Hi Florence,

I previously tried option a) and failed(need to find out why later), but I
was able to successfully reinstall the server and the client with option
b), thanks a lot! So when it says "Installing Without a CA", it means
without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install the
replica server(ipa2), if I do the same as I did before:

[root@ipa1 ~]# ipa-replica-prepare ipa2.example.com

copy the gpg file from ipa1 to ipa2

[root@ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the Verisign
certificate with the same hostname(DN): ipa1.example.com, NOT
ipa2.example.com, hence the users who visit https://ipa2.example.com will
experience security warning from the browser, as expected...
What could be a solution for this?

Thanks again!


On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud 
wrote:

> On 09/29/2016 11:43 AM, beeth beeth wrote:
>
>> Thanks for the quick response Florence!
>>
>> My goal is the use a 3rd party certificate(such as Verisign cert) for
>> Web UI(company security requirement), in fact we are not required to use
>> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
>> couldn't make the new Verisign cert to work with the Web UI, without
>> messing up the IPA function(after I updated the nss.conf to use the new
>> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
>> tried to follow the Redhat instruction, to see if I can get the Verisign
>> cert installed at the most beginning, without using FreeIPA's
>> own/default certificate), but I got the CSR question.
>>
>> I did install IPA without a CA, by following the instruction at
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
>> but failed to restart HTTPD. When and how can I provide the 3rd-party
>> certificate? Could you please point me a document about the detail?
>>
> Hi,
>
> you need first to clarify if you want FreeIPA to act as a CA or not. The
> setup will depend on this choice.
>
> - option a) FreeIPA with an embedded CA:
> you can install FreeIPA with a self-signed CA, then follow the
> instructions at https://www.freeipa.org/page/U
> sing_3rd_part_certificates_for_HTTP/LDAP in order to replace the WebUI
> certificate. Please note that there were some bugs in
> ipa-server-certinstall, preventing httpd from starting (Ticket #4786 [1]).
> The workaround is to manually update nss.conf (as you did) and manually
> import the CA certificate into /etc/pki/pki-tomcat/alias, for instance with
> $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,
>
>
> - option b) Free IPA without CA
> the installation instructions are in Installing without a CA [2]. You will
> provide the certificate that will be used by both the LDAP server and the
> WebUI in the command options.
>
> HTH,
> Flo.
>
> [1] https://fedorahosted.org/freeipa/ticket/4786
> [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Deepak Dimri]

Thanks, Florence


It works now.. my /etc/sssd/sssd.conf was missing with sudo service.. adding 
below line fixed the issue

services = nss, sudo, pam, ssh"


Many Thanks Again!


Best Regards,

Deepak



From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on 
behalf of Florence Blanc-Renaud <f...@redhat.com>
Sent: Thursday, September 29, 2016 6:03 AM
To: beeth beeth
Cc: Freeipa-users
Subject: Re: [Freeipa-users] Install IPA Servers with third-party 
certificate(external CA)

On 09/29/2016 11:43 AM, beeth beeth wrote:
> Thanks for the quick response Florence!
>
> My goal is the use a 3rd party certificate(such as Verisign cert) for
> Web UI(company security requirement), in fact we are not required to use
> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
> couldn't make the new Verisign cert to work with the Web UI, without
> messing up the IPA function(after I updated the nss.conf to use the new
> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
> tried to follow the Redhat instruction, to see if I can get the Verisign
> cert installed at the most beginning, without using FreeIPA's
> own/default certificate), but I got the CSR question.
>
> I did install IPA without a CA, by following the instruction at
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
Using 3rd part certificates for HTTP/LDAP - 
FreeIPA<https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
www.freeipa.org
The following command will allow you to use a 3rd party certificate after 
initially deploying the FreeIPA system. You will need the following files:



> but failed to restart HTTPD. When and how can I provide the 3rd-party
> certificate? Could you please point me a document about the detail?
Hi,

you need first to clarify if you want FreeIPA to act as a CA or not. The
setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Using 3rd part certificates for HTTP/LDAP - 
FreeIPA<https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
www.freeipa.org
The following command will allow you to use a 3rd party certificate after 
initially deploying the FreeIPA system. You will need the following files:



in order to replace the WebUI certificate. Please note that there were
some bugs in ipa-server-certinstall, preventing httpd from starting
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as
you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You
will provide the certificate that will be used by both the LDAP server
and the WebUI in the command options.

HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca

> Thanks again!
>
>
> On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com
> <mailto:f...@redhat.com>> wrote:
>
> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
> to issue certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's
> LDAP server and Web UI. In this case, you do not need to install
> FreeIPA with an embedded CA. You can follow the instructions for
> Installing without a CA [1], where you will need to provide a
> 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1]
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> 
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
> I am trying to set up IPA servers with Verisign certificate, so
> that the
> Admin Web console can use public signed certificate to meet
> company's
> security requirement. But when I try to follow Red Hat's
> instructions at
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Ente

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Florence Blanc-Renaud]

On 09/29/2016 11:43 AM, beeth beeth wrote:

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign cert) for
Web UI(company security requirement), in fact we are not required to use
3rd party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
tried to follow the Redhat instruction, to see if I can get the Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
but failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail?

Hi,

you need first to clarify if you want FreeIPA to act as a CA or not. The 
setup will depend on this choice.


- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the 
instructions at 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 
in order to replace the WebUI certificate. Please note that there were 
some bugs in ipa-server-certinstall, preventing httpd from starting 
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as 
you did) and manually import the CA certificate into 
/etc/pki/pki-tomcat/alias, for instance with

$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You 
will provide the certificate that will be used by both the LDAP server 
and the WebUI in the command options.


HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786
[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca



Thanks again!


On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud > wrote:

Hi,

The instructions that you followed are used when you want to install
FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
to issue certificates), and FreeIPA CA is signed by a 3rd party CA.

Maybe your goal is just to use a 3rd party certificate for IPA's
LDAP server and Web UI. In this case, you do not need to install
FreeIPA with an embedded CA. You can follow the instructions for
Installing without a CA [1], where you will need to provide a
3rd-part certificate.

Hope this clarifies,
Flo.

[1]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca





On 09/29/2016 11:03 AM, beeth beeth wrote:

I am trying to set up IPA servers with Verisign certificate, so
that the
Admin Web console can use public signed certificate to meet
company's
security requirement. But when I try to follow Red Hat's
instructions at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca

,

2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the
--external-ca
option to the ipa-server-install utility, which does generate a
CRS at
/root/ipa.csr. However, the ipa-server-install command in fact
doesn't
ask for Distinguished Name (DN) or the organization info(like
country,
state, etc.), which are required in the CSR. Without a valid CSR
file, I
can't request for new Verisign certs. Did I miss something?

Originally I once tried to change the default certificate for
Apache(the
Web Admin console) ONLY to the Verisign one, by adding the
certificates
to the /etc/httpd/alias database with the command:
  # ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is
used to
point to the Verisign certs. That worked well for the website.
However,
the IPA client installation failed after 

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[beeth beeth]

Ok, I will try out the "2.3.6. Installing Without a CA", and keep you
posted.
BTW, I noticed that the key needs to be encrypted, is that true?
Thanks!

On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud 
wrote:

> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue
> certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's LDAP
> server and Web UI. In this case, you do not need to install FreeIPA with an
> embedded CA. You can follow the instructions for Installing without a CA
> [1], where you will need to provide a 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
>> I am trying to set up IPA servers with Verisign certificate, so that the
>> Admin Web console can use public signed certificate to meet company's
>> security requirement. But when I try to follow Red Hat's instructions at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-external-ca,
>>
>> 2.3.5. Installing a Server with an External CA as the Root CA,
>> at the first step it says to generate CSR by adding the --external-ca
>> option to the ipa-server-install utility, which does generate a CRS at
>> /root/ipa.csr. However, the ipa-server-install command in fact doesn't
>> ask for Distinguished Name (DN) or the organization info(like country,
>> state, etc.), which are required in the CSR. Without a valid CSR file, I
>> can't request for new Verisign certs. Did I miss something?
>>
>> Originally I once tried to change the default certificate for Apache(the
>> Web Admin console) ONLY to the Verisign one, by adding the certificates
>> to the /etc/httpd/alias database with the command:
>>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
>> And updated the nss.conf for httpd, so that the new Nickname is used to
>> point to the Verisign certs. That worked well for the website. However,
>> the IPA client installation failed after that for the
>> "ipa-client-install":
>>
>> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction, explaining:  Peer's certificate issuer has been marked as
>> not trusted by the user.
>>
>> Even I tried to also update the certificate for the Directory
>> service(ipa-server-certinstall -d ... ), the client installation still
>> failed. I believe the new Verisign cert messed up the communication of
>> the IPA components. Then I am thinking to install the IPA server from
>> scratch with the Verisign cert, but then I hit the CSR problem described
>> above.
>>
>> Please advise. Thanks!
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[beeth beeth]

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign cert) for Web
UI(company security requirement), in fact we are not required to use 3rd
party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I tried
to follow the Redhat instruction, to see if I can get the Verisign cert
installed at the most beginning, without using FreeIPA's own/default
certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, but
failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail? Thanks
again!


On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud 
wrote:

> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue
> certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's LDAP
> server and Web UI. In this case, you do not need to install FreeIPA with an
> embedded CA. You can follow the instructions for Installing without a CA
> [1], where you will need to provide a 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
>> I am trying to set up IPA servers with Verisign certificate, so that the
>> Admin Web console can use public signed certificate to meet company's
>> security requirement. But when I try to follow Red Hat's instructions at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-external-ca,
>>
>> 2.3.5. Installing a Server with an External CA as the Root CA,
>> at the first step it says to generate CSR by adding the --external-ca
>> option to the ipa-server-install utility, which does generate a CRS at
>> /root/ipa.csr. However, the ipa-server-install command in fact doesn't
>> ask for Distinguished Name (DN) or the organization info(like country,
>> state, etc.), which are required in the CSR. Without a valid CSR file, I
>> can't request for new Verisign certs. Did I miss something?
>>
>> Originally I once tried to change the default certificate for Apache(the
>> Web Admin console) ONLY to the Verisign one, by adding the certificates
>> to the /etc/httpd/alias database with the command:
>>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
>> And updated the nss.conf for httpd, so that the new Nickname is used to
>> point to the Verisign certs. That worked well for the website. However,
>> the IPA client installation failed after that for the
>> "ipa-client-install":
>>
>> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction, explaining:  Peer's certificate issuer has been marked as
>> not trusted by the user.
>>
>> Even I tried to also update the certificate for the Directory
>> service(ipa-server-certinstall -d ... ), the client installation still
>> failed. I believe the new Verisign cert messed up the communication of
>> the IPA components. Then I am thinking to install the IPA server from
>> scratch with the Verisign cert, but then I hit the CSR problem described
>> above.
>>
>> Please advise. Thanks!
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[beeth beeth]

Also, I once followed the instruction about "Using 3rd part certificates
for HTTP/LDAP" at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
for my environment: IPA 4.2 on RHEL7

# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
# ipa-server-certinstall -w -d mysite.key mysite.crt
# systemctl restart httpd.service
# systemctl restart dirsrv@MY-REALM.service

It failed at the step to restart httpd.service.

Thanks!


On Thu, Sep 29, 2016 at 5:03 AM, beeth beeth  wrote:

> I am trying to set up IPA servers with Verisign certificate, so that the
> Admin Web console can use public signed certificate to meet company's
> security requirement. But when I try to follow Red Hat's instructions at
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/install-server.html#install-server-external-ca,
> 2.3.5. Installing a Server with an External CA as the Root CA,
> at the first step it says to generate CSR by adding the --external-ca
> option to the ipa-server-install utility, which does generate a CRS at
> /root/ipa.csr. However, the ipa-server-install command in fact doesn't ask
> for Distinguished Name (DN) or the organization info(like country, state,
> etc.), which are required in the CSR. Without a valid CSR file, I can't
> request for new Verisign certs. Did I miss something?
>
> Originally I once tried to change the default certificate for Apache(the
> Web Admin console) ONLY to the Verisign one, by adding the certificates to
> the /etc/httpd/alias database with the command:
>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
> And updated the nss.conf for httpd, so that the new Nickname is used to
> point to the Verisign certs. That worked well for the website. However, the
> IPA client installation failed after that for the "ipa-client-install":
>
> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
> transaction, explaining:  Peer's certificate issuer has been marked as not
> trusted by the user.
>
> Even I tried to also update the certificate for the Directory
> service(ipa-server-certinstall -d ... ), the client installation still
> failed. I believe the new Verisign cert messed up the communication of the
> IPA components. Then I am thinking to install the IPA server from scratch
> with the Verisign cert, but then I hit the CSR problem described above.
>
> Please advise. Thanks!
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[Florence Blanc-Renaud]

Hi,

The instructions that you followed are used when you want to install 
FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to 
issue certificates), and FreeIPA CA is signed by a 3rd party CA.


Maybe your goal is just to use a 3rd party certificate for IPA's LDAP 
server and Web UI. In this case, you do not need to install FreeIPA with 
an embedded CA. You can follow the instructions for Installing without a 
CA [1], where you will need to provide a 3rd-part certificate.


Hope this clarifies,
Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca



On 09/29/2016 11:03 AM, beeth beeth wrote:

I am trying to set up IPA servers with Verisign certificate, so that the
Admin Web console can use public signed certificate to meet company's
security requirement. But when I try to follow Red Hat's instructions at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca,

2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the --external-ca
option to the ipa-server-install utility, which does generate a CRS at
/root/ipa.csr. However, the ipa-server-install command in fact doesn't
ask for Distinguished Name (DN) or the organization info(like country,
state, etc.), which are required in the CSR. Without a valid CSR file, I
can't request for new Verisign certs. Did I miss something?

Originally I once tried to change the default certificate for Apache(the
Web Admin console) ONLY to the Verisign one, by adding the certificates
to the /etc/httpd/alias database with the command:
  # ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is used to
point to the Verisign certs. That worked well for the website. However,
the IPA client installation failed after that for the "ipa-client-install":

ERROR Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining:  Peer's certificate issuer has been marked as
not trusted by the user.

Even I tried to also update the certificate for the Directory
service(ipa-server-certinstall -d ... ), the client installation still
failed. I believe the new Verisign cert messed up the communication of
the IPA components. Then I am thinking to install the IPA server from
scratch with the Verisign cert, but then I hit the CSR problem described
above.

Please advise. Thanks!




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Install IPA Servers with third-party certificate(external CA)

[beeth beeth]

I am trying to set up IPA servers with Verisign certificate, so that the
Admin Web console can use public signed certificate to meet company's
security requirement. But when I try to follow Red Hat's instructions at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca,

2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the --external-ca
option to the ipa-server-install utility, which does generate a CRS at
/root/ipa.csr. However, the ipa-server-install command in fact doesn't ask
for Distinguished Name (DN) or the organization info(like country, state,
etc.), which are required in the CSR. Without a valid CSR file, I can't
request for new Verisign certs. Did I miss something?

Originally I once tried to change the default certificate for Apache(the
Web Admin console) ONLY to the Verisign one, by adding the certificates to
the /etc/httpd/alias database with the command:
  # ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is used to
point to the Verisign certs. That worked well for the website. However, the
IPA client installation failed after that for the "ipa-client-install":

ERROR Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining:  Peer's certificate issuer has been marked as not
trusted by the user.

Even I tried to also update the certificate for the Directory
service(ipa-server-certinstall -d ... ), the client installation still
failed. I believe the new Verisign cert messed up the communication of the
IPA components. Then I am thinking to install the IPA server from scratch
with the Verisign cert, but then I hit the CSR problem described above.

Please advise. Thanks!
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project