Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
Hi Clark, On Mon, Mar 27, 2017 at 04:19:42PM +, System Administration Team wrote: > Fraser, > > I cannot pass the DN or CN as part of the subject on the command line > ipa-server-install > > Ipa-server-install appears to set the CN to 'Certificate Authority' from the > openssl output. > The ability to control this was added in v4.5: http://www.freeipa.org/page/Releases/4.5.0#Fully_customisable_CA_name But, the Subject DN in the CSR is advisory; we have no control over what the external CA actually does. FreeIPA requires the signed cert to match what was in the CSR. > I believe the preferred for a subCA should be the FQDN of the subCA server > which is the ipa install. > It doesn't matter, as long as it's different from other CAs. > The final error when I try to run ipa-server-install: > > ipa.ipapython.install.cli.install_tool(Server): ERRORIPA CA certificate > not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem > ipa.ipapython.install.cli.install_tool(Server): ERRORThe > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > This is consistent with the signed cert having a different Subject DN from what IPA expects (which is what it put into the CSR). Cheers, Fraser > Thank You > > Clark > > > > > > Does the subject distinguished name in the signed certificate exactly match > what was in the CSR? > > > 2017-03-27 IPA Install > > [root@ipa certs]# ipa-server-install --external-ca --domain=camgian.com > --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US,mail=' > > The log file for this installation can be found in > /var/log/ipaserver-install.log > == > This program will set up the IPA Server. > > This includes: > * Configure a stand-alone CA (dogtag) for certificate management > * Configure the Network Time Daemon (ntpd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > > To accept the default shown in brackets, press the Enter key. > > Do you want to configure integrated DNS (BIND)? [no]: > > Certain directory server operations require an administrative user. > This user is referred to as the Directory Manager and has full access to the > Directory for system management tasks and will be added to the instance of > directory server created for IPA. > The password must be at least 8 characters long. > > Directory Manager password: > Password (confirm): > > The IPA server requires an administrative user, named 'admin'. > This user is a regular system account used for IPA server administration. > > IPA admin password: > Password (confirm): > > > The IPA Master Server will be configured with: > Hostname: ipa.camgian.com > IP address(es): 192.168.200.3 > Domain name:camgian.com > Realm name: CAMGIAN.COM > > Continue to configure the system with these values? [no]: yes > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/47]: creating directory server user > [2/47]: creating directory server instance > [3/47]: updating configuration in dse.ldif > [4/47]: restarting directory server > [5/47]: adding default schema > [6/47]: enabling memberof plugin > [7/47]: enabling winsync plugin > [8/47]: configuring replication version plugin > [9/47]: enabling IPA enrollment plugin > [10/47]: enabling ldapi > [11/47]: configuring uniqueness plugin > [12/47]: configuring uuid plugin > [13/47]: configuring modrdn plugin > [14/47]: configuring DNS plugin > [15/47]: enabling entryUSN plugin > [16/47]: configuring lockout plugin > [17/47]: configuring topology plugin > [18/47]: creating indices > [19/47]: enabling referential integrity plugin > [20/47]: configuring certmap.conf > [21/47]: configure autobind for root > [22/47]: configure new location for managed entries > [23/47]: configure dirsrv ccache > [24/47]: enabling SASL mapping fallback > [25/47]: restarting directory server > [26/47]: adding sasl mappings to the directory > [27/47]: adding default layout > [28/47]: adding delegation layout > [29/47]: creating container for managed entries > [30/47]: configuring user private groups > [31/47]: configuring netgroups from hostgroups > [32/47]: creating default Sudo bind user > [33/47]: creating default Auto Member layout > [34/47]: adding range check plugin > [35/47]: creating default HBAC rule allow_all > [36/47]: adding sasl mappings to the d
Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
-Original Message- From: Tomas Krizek [mailto:tkri...@redhat.com] Sent: Monday, March 27, 2017 12:20 PM To: System Administration Team ; Fraser Tweedale Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in On 03/27/2017 06:19 PM, System Administration Team wrote: > [root@ipa certs]# openssl req -in /root/ipa.csr -noout -text > Certificate Request: > Data: > Version: 0 (0x0) > Subject: mail=, C=US, ST=Mississippi, L=Starkville, > O=Camgian Microsystems, OU=IT, CN=Certificate Authority > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Certificate Sign, CRL Sign > Signature Algorithm: sha256WithRSAEncryption > > [root@ipa certs]# > > Sign ipa.csr > > root@rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose > -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in > /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using > configuration from openssl.cnf Enter pass phrase for > /root/ca/private/ca.key.pem: > Check that the request matches the signature Signature ok Certificate Details: > Serial Number: 4099 (0x1003) > Validity > Not Before: Mar 27 15:49:18 2017 GMT > Not After : Mar 25 15:49:18 2027 GMT > Subject: > countryName = US > stateOrProvinceName = Mississippi > localityName = Starkville > organizationName = Camgian Microsystems > organizationalUnitName= IT > commonName= Certificate Authority The signed certificate's Subject field seems to be missing the mail=. Perhaps the signing rules do not permit this field? I removed this field so it would not be archived in this list since I now get Porn Spam from Kim when I post to it. > [root@ipa certs]# ipa-server-install --domain=camgian.com > --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject > 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US,mail=' > --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem > --external-cert-file=/etc/pki/tls/certs/ca.cert.pem I believe you can't force IPA to use a different subject at the second step of setting up external CA. I think it's only used to generate the CSR in the first step. I have tried both ways >From the logfile below it looks like it is picking up the CN from my ROOT CA >rather than the CN from IPA-SERVER-Install it looks like... [root@ipa certs]# ipa-server-install --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem --external-cert-file=/etc/pki/tls/certs/ca.cert.pem The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: == This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) ipa.ipapython.install.cli.install_tool(Server): ERRORIPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem ipa.ipapython.install.cli.install_tool(Server): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [root@ipa certs]# FROM Log File: 2017-03-27T19:34:45Z DEBUG stderr= 2017-03-27T19:34:45Z DEBUG Starting external process 2017-03-27T19:34:45Z DEBUG args=/usr/bin/certutil -d /tmp/tmpHEVPYc -M -n E=,CN=Camgian Microsystems Root CA,OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US -t C,, 2017-03-27T19:34:45Z DEBUG Process finished, return code=0 2017-03-27T19:34:45Z DEBUG stdout= 2017-03-27T19:34:45Z DEBUG stderr= 2017-03-27T19:34:45Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run se
Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
On 03/27/2017 06:19 PM, System Administration Team wrote: > [root@ipa certs]# openssl req -in /root/ipa.csr -noout -text > Certificate Request: > Data: > Version: 0 (0x0) > Subject: mail=, C=US, ST=Mississippi, L=Starkville, > O=Camgian Microsystems, OU=IT, CN=Certificate Authority > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Certificate Sign, CRL Sign > Signature Algorithm: sha256WithRSAEncryption > > [root@ipa certs]# > > Sign ipa.csr > > root@rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose > -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in > /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using > configuration from openssl.cnf Enter pass phrase for > /root/ca/private/ca.key.pem: > Check that the request matches the signature Signature ok Certificate Details: > Serial Number: 4099 (0x1003) > Validity > Not Before: Mar 27 15:49:18 2017 GMT > Not After : Mar 25 15:49:18 2027 GMT > Subject: > countryName = US > stateOrProvinceName = Mississippi > localityName = Starkville > organizationName = Camgian Microsystems > organizationalUnitName= IT > commonName= Certificate Authority The signed certificate's Subject field seems to be missing the mail=. Perhaps the signing rules do not permit this field? > [root@ipa certs]# ipa-server-install --domain=camgian.com > --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US,mail=' > --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem > --external-cert-file=/etc/pki/tls/certs/ca.cert.pem I believe you can't force IPA to use a different subject at the second step of setting up external CA. I think it's only used to generate the CSR in the first step. > ipa.ipapython.install.cli.install_tool(Server): ERRORIPA CA certificate > not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem > ipa.ipapython.install.cli.install_tool(Server): ERRORThe > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information The installation most likely fails because mail= is expected to be a part of the signed certificate's subject field. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
Fraser, I cannot pass the DN or CN as part of the subject on the command line ipa-server-install Ipa-server-install appears to set the CN to 'Certificate Authority' from the openssl output. I believe the preferred for a subCA should be the FQDN of the subCA server which is the ipa install. The final error when I try to run ipa-server-install: ipa.ipapython.install.cli.install_tool(Server): ERRORIPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem ipa.ipapython.install.cli.install_tool(Server): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Thank You Clark > > Does the subject distinguished name in the signed certificate exactly match what was in the CSR? 2017-03-27 IPA Install [root@ipa certs]# ipa-server-install --external-ca --domain=camgian.com --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US,mail=' The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The IPA Master Server will be configured with: Hostname: ipa.camgian.com IP address(es): 192.168.200.3 Domain name:camgian.com Realm name: CAMGIAN.COM Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: updating configuration in dse.ldif [4/47]: restarting directory server [5/47]: adding default schema [6/47]: enabling memberof plugin [7/47]: enabling winsync plugin [8/47]: configuring replication version plugin [9/47]: enabling IPA enrollment plugin [10/47]: enabling ldapi [11/47]: configuring uniqueness plugin [12/47]: configuring uuid plugin [13/47]: configuring modrdn plugin [14/47]: configuring DNS plugin [15/47]: enabling entryUSN plugin [16/47]: configuring lockout plugin [17/47]: configuring topology plugin [18/47]: creating indices [19/47]: enabling referential integrity plugin [20/47]: configuring certmap.conf [21/47]: configure autobind for root [22/47]: configure new location for managed entries [23/47]: configure dirsrv ccache [24/47]: enabling SASL mapping fallback [25/47]: restarting directory server [26/47]: adding sasl mappings to the directory [27/47]: adding default layout [28/47]: adding delegation layout [29/47]: creating container for managed entries [30/47]: configuring user private groups [31/47]: configuring netgroups from hostgroups [32/47]: creating default Sudo bind user [33/47]: creating default Auto Member layout [34/47]: adding range check plugin [35/47]: creating default HBAC rule allow_all [36/47]: adding sasl mappings to the directory [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=
Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
On Fri, Mar 24, 2017 at 03:26:31PM +, System Administration Team wrote: > >From old threads back in August 2016 I have been able to get closer to > >installing freeipa server as a subCA to our in house rootCA > > https://www.redhat.com/archives/freeipa-users/2016-August/msg00269.html > > Running the initial install command > > ipa-server-install --external-ca --domain=camgian.com > --hostname=ipasrvr.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US' > > I am provided with /root/ipa.csr that I can signed with our rootCA > > But when I run the subsequent command it fails to find the certificate in the > chain. > > ipa-server-install --external-ca --domain=camgian.com > --hostname=ipasrvr.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US' > --external-cert-file=/etc/pki/tls/certs/ipasrvr.cert.pem > --external-cert-file=/etc/pki/tls/certs/ca.cert.pem > > It fails at: > > ipa.ipapython.install.cli.install_tool(Server): ERRORIPA CA certificate > not found in /etc/pki/tls/certs/ipasrvr.cert.pem, > /etc/pki/tls/certs/ca.cert.pem > ipa.ipapython.install.cli.install_tool(Server): ERRORThe > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > > Any help in the correct direction to resolve this will be greatly appreciated. > > Clark > > Does the subject distinguished name in the signed certificate exactly match what was in the CSR? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in
>From old threads back in August 2016 I have been able to get closer to >installing freeipa server as a subCA to our in house rootCA https://www.redhat.com/archives/freeipa-users/2016-August/msg00269.html Running the initial install command ipa-server-install --external-ca --domain=camgian.com --hostname=ipasrvr.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US' I am provided with /root/ipa.csr that I can signed with our rootCA But when I run the subsequent command it fails to find the certificate in the chain. ipa-server-install --external-ca --domain=camgian.com --hostname=ipasrvr.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US' --external-cert-file=/etc/pki/tls/certs/ipasrvr.cert.pem --external-cert-file=/etc/pki/tls/certs/ca.cert.pem It fails at: ipa.ipapython.install.cli.install_tool(Server): ERRORIPA CA certificate not found in /etc/pki/tls/certs/ipasrvr.cert.pem, /etc/pki/tls/certs/ca.cert.pem ipa.ipapython.install.cli.install_tool(Server): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Any help in the correct direction to resolve this will be greatly appreciated. Clark -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project