Re: [Freeipa-users] Installing a new Cert
This actually died after restart so I ended up starting over... So here is the process I did that looks like it works and also survives restart Step 1 - Before install http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely Step 2 - Install IPA server using the p12 file from before and also the intermediate.crt from your provider (I'm not sure why this isn't documented anywhere but I found it in my searches) ipa-server-install --http_pkcs12 DOMAIN.COM.p12 --dirsrv_pkcs12 collectivebias.com.p12 --root-ca-file intermediate.crt Step 3 - re add certs (for some reason I don't know but it's needed) (from http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) ipa-server-certinstall -w --http_pin=PKPASSWORD DOMAIN.COM.p12 ipa-server-certinstall -d --dirsrv_pin=PKPASSWORD DOMAIN.COM.p12 Step 4 reboot Step 5 You can dance if you wanna... On Mon, Aug 25, 2014 at 2:02 PM, Chris Whittle cwhi...@gmail.com wrote: I spoke a little too soon... It's working fine (browser is using new cert and also ldaps is using the new cert) except when you go to the certs page on the ui. https://DOMAIN/ipa/ui/#/e/cert/search An error has occurred (IPA Error 4301: CertificateOperationError) Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle cwhi...@gmail.com wrote: ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
Thanks for sharing your (rather painful) experience, I am glad you made it working in the end. Just note that we are currently (read FreeIPA 4.0.x and FreeIPA 4.1) working making the cert operations in the installers smoother so that after so that people like you would have much easier job. Martin On 08/26/2014 05:19 PM, Chris Whittle wrote: This actually died after restart so I ended up starting over... So here is the process I did that looks like it works and also survives restart Step 1 - Before install http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894-- start at Convert crt file in PEM format and do that whole section completely Step 2 - Install IPA server using the p12 file from before and also the intermediate.crt from your provider (I'm not sure why this isn't documented anywhere but I found it in my searches) ipa-server-install --http_pkcs12 DOMAIN.COM.p12 --dirsrv_pkcs12 collectivebias.com.p12 --root-ca-file intermediate.crt Step 3 - re add certs (for some reason I don't know but it's needed) (from http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) ipa-server-certinstall -w --http_pin=PKPASSWORD DOMAIN.COM.p12 ipa-server-certinstall -d --dirsrv_pin=PKPASSWORD DOMAIN.COM.p12 Step 4 reboot Step 5 You can dance if you wanna... On Mon, Aug 25, 2014 at 2:02 PM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: I spoke a little too soon... It's working fine (browser is using new cert and also ldaps is using the new cert) except when you go to the certs page on the ui. https://DOMAIN/ipa/ui/#/e/cert/search An error has occurred (IPA Error 4301: CertificateOperationError) Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com mailto:cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com mailto:jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/__Using_3rd_part_certificates___for_HTTP/LDAP http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not
Re: [Freeipa-users] Installing a new Cert
Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing a new Cert
I spoke a little too soon... It's working fine (browser is using new cert and also ldaps is using the new cert) except when you go to the certs page on the ui. https://DOMAIN/ipa/ui/#/e/cert/search An error has occurred (IPA Error 4301: CertificateOperationError) Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle cwhi...@gmail.com wrote: ok I think I got it again... If anyone is looking for this here is the answer that worked for me 1. Here are the steps 1. http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely 2. Then with the p12 from above you get do this (skip the line about generating a new one) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 1. If you run across the error /etc/ipa/ca.crt contains more than one certificate you will need to go into /etc/ipa/ca.crt, back it up and then try removing one of the certs and try ipa-server-certinstall from above again (if it doesn't work revert ca.crt to the original and then remove the other) 3. Then restart the both instances (bottom of the freeipa link) and you should be good to go. On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle cwhi...@gmail.com wrote: I found this but I think it's just IPA certs? http://www.freeipa.org/page/V4/CA_certificate_renewal Basically I want to use my existing wildcard cert for https and ldaps... I did this on my 3.3 install on CentOS but now I'm on a 4 install on Fedora Core. Any help would be more than appreciated! Thanks! On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle cwhi...@gmail.com wrote: I have 4 installed and I get it when I try to generate the pk12 On Aug 25, 2014 3:50 AM, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. Where are you getting this error? ipa-server-certinstall, or httpd, or somewhere else? What version of ipa do you have installed? I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... In this case you should get a file.p12 is not signed by /etc/ipa/ca.crt, or the full certificate chain is not present in the PKCS#12 file error in ipa-server-certinstall. Any ideas? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Installing a new Cert
Trying to do this http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And I keep getting Error unable to get local issuer certificate getting chain. I'm wondering if it's because of this from the doc The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. but it might not either... Any ideas? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project