Re: [Freeipa-users] install with external CA failed
On 03/10/2014 09:07 PM, Simo Sorce wrote: On Mon, 2014-03-10 at 15:45 -0400, Robert Story wrote: On Mon, 10 Mar 2014 15:44:01 +0100 Jan wrote: JC On 6.3.2014 05:42, Robert Story wrote: JC I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) JC and an external CA. I'm getting this error: JC [snip] JC Can you please run certutil -V on the issuer certificate JC (CN=Certificate Authority,O=xxx)? That might give us a clue why it is JC invalid. Unfortunately I've already scrapped that install and just went with the internal self-signed CA. So far, the only annoyance is that the webserver also presents a self-signed cert for the UI. Is it safe to replace just the web cert with a cert signed by my local CA? Or might that break something? Import the CA cert in your browser. Simo. Yup, in FreeIPA 4.0 even that step should not be needed given the system shared CA trust storage: https://fedorahosted.org/freeipa/ticket/3504 As for now, you can add the CA certificate also via convenience wizards in IPA UI too: http://vm-236.idm.lab.eng.brq.redhat.com/ipa/config/unauthorized.html Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] install with external CA failed
On Mon, 10 Mar 2014 16:07:54 -0400 Simo wrote: SS Unfortunately I've already scrapped that install and just went with SS the internal self-signed CA. So far, the only annoyance is that the SS webserver also presents a self-signed cert for the UI. Is it safe to SS replace just the web cert with a cert signed by my local CA? Or might SS that break something? SS SS Import the CA cert in your browser. This is exactly what I'm trying to avoid. Users already have to install our corporate CA cert, and I'd like to avoid having to install two. I'm hoping that the cert for the UI could be swapped for one signed by our existing CA. Robert -- Senior Software Engineer @ Parsons signature.asc Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] install with external CA failed
On 03/11/2014 12:44 PM, Robert Story wrote: On Mon, 10 Mar 2014 16:07:54 -0400 Simo wrote: SSUnfortunately I've already scrapped that install and just went with SSthe internal self-signed CA. So far, the only annoyance is that the SSwebserver also presents a self-signed cert for the UI. Is it safe to SSreplace just the web cert with a cert signed by my local CA? Or might SSthat break something? SS SS Import the CA cert in your browser. This is exactly what I'm trying to avoid. Users already have to install our corporate CA cert, and I'd like to avoid having to install two. I'm hoping that the cert for the UI could be swapped for one signed by our existing CA. Robert -- Senior Software Engineer @ Parsons ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users There are several options: a) Resolve the issue with CA chaining. It might be due to some data missing in the cert issued by your corporate CA when you tried to chain things. We can drill down into that. b) You can use the feature available in IPA 3.3 to use CA-less install. It will be in CentOS 7. In this case you can install IPA without any CA and just use you corporate CA. The down side is that all cert related operations of IPA will be disabled. c) Import the cert into the browser or the common certs store. I vaguely remember that this change might have been ported to 6.5 but I am not sure from top of my head. Thanks Dmitri -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] install with external CA failed
Hi, On 6.3.2014 05:42, Robert Story wrote: Hi, I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) and an external CA. I'm getting this error: Command '/usr/bin/sslget -v -n ipa-ca-agent -p -d /tmp/tmp-jNYt3P -r /ca/agent/ca/profileReview?requestId=6 auth.lan:9443' returned non-zero exit status 4 I found a thread from back in 2012 with exact same symptoms: https://www.redhat.com/archives/freeipa-users/2012-May/msg00357.html Unfortunately, the thread died out without any resolution/fix. When I run the suggested commands from that thread, I get the same results the OP did.. #certutil -L -d /tmp/tmp-jNYt3P/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipa-ca-agent u,u,u Certificate Authority - xxx CT,C,C testnick P,, xxx Certificate Authority - xxxCT,C,C # certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-jNYt3P/ certutil: certificate is invalid: Issuer certificate is invalid. Can you please run certutil -V on the issuer certificate (CN=Certificate Authority,O=xxx)? That might give us a clue why it is invalid. # certutil -L -n ipa-ca-agent -d /tmp/tmp-jNYt3P/ Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=xxx Validity: Not Before: Thu Mar 06 04:17:13 2014 Not After : Wed Feb 24 04:17:13 2016 Subject: CN=ipa-ca-agent,O=xxx Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: bf:0c:5b:f0:14:9e:0f:26:91:21:66:62:95:0c:4d:04: e5:ec:96:6f:a1:3b:a8:05:de:1b:40:a7:7c:59:55:c4: 1e:a0:62:3d:7a:50:e8:c4:8b:d7:5d:cd:55:b2:e7:f9: 63:f6:43:75:1e:3d:3c:ac:51:a4:81:94:6b:e5:7f:94: d7:b2:aa:8d:e8:b6:50:f2:24:96:76:8d:5f:e9:aa:43: 07:97:c8:06:2e:dc:22:9b:d1:2e:90:24:d8:07:94:33: d1:0f:44:e5:14:37:3c:96:ee:24:e0:07:91:f1:ee:c8: c4:01:e9:85:d8:35:eb:42:92:8a:58:c3:ae:e8:7d:27: 4d:2d:cb:b8:97:0b:5d:e0:3c:99:8a:a8:a2:b7:e2:10: 61:2b:77:33:87:ea:59:16:87:f7:f7:43:cf:c2:7b:60: 3a:fc:44:2f:9e:9c:56:bc:99:0c:d0:e9:08:d6:db:f5: b1:d2:5e:28:45:d2:8f:71:1d:49:e9:41:c6:d2:e0:03: ac:85:ea:51:c6:17:5d:ed:eb:a5:11:86:40:37:cf:49: d3:cc:11:f1:3f:17:61:38:52:fa:12:a6:a0:bf:61:74: aa:3e:87:bd:ff:d1:eb:d7:c5:d7:d5:90:8f:d6:d6:e1: ab:d0:1f:db:91:8e:ff:d1:52:e3:6a:7a:fe:20:b3:53 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: b5:5e:45:9f:e9:71:c5:11:a2:6c:6c:06:00:be:02:ad: 8e:ae:76:1b Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: http://auth.lan:80/ca/ocsp; Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Client Authentication Certificate E-Mail Protection Certificate Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 91:e8:3c:26:1e:e6:24:35:64:95:92:10:79:9b:c3:3f: 3d:6c:7b:db:56:bd:98:85:31:4a:2c:6c:1f:76:e4:74: 8a:90:49:43:6d:16:63:f9:cc:9b:89:bd:bc:5c:fa:3b: 55:9e:a8:54:ce:61:fa:62:61:cf:b5:47:54:e5:70:f6: d0:a0:a6:56:bf:1e:19:4d:f3:95:8a:70:1f:43:c2:6b: 85:bf:dd:90:6a:13:f7:58:9d:b2:40:88:d6:3a:d1:84: 2e:7f:b8:b8:e1:f9:5f:83:c5:d4:55:c4:a7:1a:28:a4: 64:fc:ac:78:3b:43:a0:00:78:db:f1:cc:a6:b6:11:70: 64:2f:43:d2:74:a5:2a:50:91:e0:8d:8c:82:c5:1a:5c: dd:00:60:62:55:be:0a:ea:b9:75:0f:8d:0e:40:cd:26: 9c:63:08:3f:7d:79:c5:6b:73:fd:26:60:d3:e4:59:1e: 1d:0f:82:ea:eb:23:b3:b4:59:7f:a9:87:e8:01:c7:aa: 7b:c0:dd:0a:f0:4d:da:90:c9:57:00:4b:86:ea:58:22: ff:45:11:18:25:de:09:ee:a4:7a:4a:ea:8f:17:c9:ad: 38:15:af:fa:c0:f3:fb:1c:6c:e1:69:1f:99:4e:fe:a2: eb:66:92:77:3a:5d:8f:7a:63:9b:14:ea:95:3e:c7:e9 Fingerprint (MD5): 96:68:7A:76:9F:06:78:BC:67:85:0C:82:A8:43:14:6B Fingerprint (SHA1): 99:7D:9F:1B:F4:A7:52:9F:CF:BF:23:4F:5B:1A:90:22:19:14:37:16 Certificate Trust Flags:
Re: [Freeipa-users] install with external CA failed
On Mon, 10 Mar 2014 15:44:01 +0100 Jan wrote: JC On 6.3.2014 05:42, Robert Story wrote: JC I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) JC and an external CA. I'm getting this error: JC [snip] JC Can you please run certutil -V on the issuer certificate JC (CN=Certificate Authority,O=xxx)? That might give us a clue why it is JC invalid. Unfortunately I've already scrapped that install and just went with the internal self-signed CA. So far, the only annoyance is that the webserver also presents a self-signed cert for the UI. Is it safe to replace just the web cert with a cert signed by my local CA? Or might that break something? Robert -- Senior Software Engineer @ Parsons signature.asc Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] install with external CA failed
On Mon, 2014-03-10 at 15:45 -0400, Robert Story wrote: On Mon, 10 Mar 2014 15:44:01 +0100 Jan wrote: JC On 6.3.2014 05:42, Robert Story wrote: JC I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) JC and an external CA. I'm getting this error: JC [snip] JC Can you please run certutil -V on the issuer certificate JC (CN=Certificate Authority,O=xxx)? That might give us a clue why it is JC invalid. Unfortunately I've already scrapped that install and just went with the internal self-signed CA. So far, the only annoyance is that the webserver also presents a self-signed cert for the UI. Is it safe to replace just the web cert with a cert signed by my local CA? Or might that break something? Import the CA cert in your browser. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] install with external CA failed
Hi, I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) and an external CA. I'm getting this error: Command '/usr/bin/sslget -v -n ipa-ca-agent -p -d /tmp/tmp-jNYt3P -r /ca/agent/ca/profileReview?requestId=6 auth.lan:9443' returned non-zero exit status 4 I found a thread from back in 2012 with exact same symptoms: https://www.redhat.com/archives/freeipa-users/2012-May/msg00357.html Unfortunately, the thread died out without any resolution/fix. When I run the suggested commands from that thread, I get the same results the OP did.. #certutil -L -d /tmp/tmp-jNYt3P/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipa-ca-agent u,u,u Certificate Authority - xxx CT,C,C testnick P,, xxx Certificate Authority - xxxCT,C,C # certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-jNYt3P/ certutil: certificate is invalid: Issuer certificate is invalid. # certutil -L -n ipa-ca-agent -d /tmp/tmp-jNYt3P/ Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=xxx Validity: Not Before: Thu Mar 06 04:17:13 2014 Not After : Wed Feb 24 04:17:13 2016 Subject: CN=ipa-ca-agent,O=xxx Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: bf:0c:5b:f0:14:9e:0f:26:91:21:66:62:95:0c:4d:04: e5:ec:96:6f:a1:3b:a8:05:de:1b:40:a7:7c:59:55:c4: 1e:a0:62:3d:7a:50:e8:c4:8b:d7:5d:cd:55:b2:e7:f9: 63:f6:43:75:1e:3d:3c:ac:51:a4:81:94:6b:e5:7f:94: d7:b2:aa:8d:e8:b6:50:f2:24:96:76:8d:5f:e9:aa:43: 07:97:c8:06:2e:dc:22:9b:d1:2e:90:24:d8:07:94:33: d1:0f:44:e5:14:37:3c:96:ee:24:e0:07:91:f1:ee:c8: c4:01:e9:85:d8:35:eb:42:92:8a:58:c3:ae:e8:7d:27: 4d:2d:cb:b8:97:0b:5d:e0:3c:99:8a:a8:a2:b7:e2:10: 61:2b:77:33:87:ea:59:16:87:f7:f7:43:cf:c2:7b:60: 3a:fc:44:2f:9e:9c:56:bc:99:0c:d0:e9:08:d6:db:f5: b1:d2:5e:28:45:d2:8f:71:1d:49:e9:41:c6:d2:e0:03: ac:85:ea:51:c6:17:5d:ed:eb:a5:11:86:40:37:cf:49: d3:cc:11:f1:3f:17:61:38:52:fa:12:a6:a0:bf:61:74: aa:3e:87:bd:ff:d1:eb:d7:c5:d7:d5:90:8f:d6:d6:e1: ab:d0:1f:db:91:8e:ff:d1:52:e3:6a:7a:fe:20:b3:53 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: b5:5e:45:9f:e9:71:c5:11:a2:6c:6c:06:00:be:02:ad: 8e:ae:76:1b Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: http://auth.lan:80/ca/ocsp; Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Client Authentication Certificate E-Mail Protection Certificate Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 91:e8:3c:26:1e:e6:24:35:64:95:92:10:79:9b:c3:3f: 3d:6c:7b:db:56:bd:98:85:31:4a:2c:6c:1f:76:e4:74: 8a:90:49:43:6d:16:63:f9:cc:9b:89:bd:bc:5c:fa:3b: 55:9e:a8:54:ce:61:fa:62:61:cf:b5:47:54:e5:70:f6: d0:a0:a6:56:bf:1e:19:4d:f3:95:8a:70:1f:43:c2:6b: 85:bf:dd:90:6a:13:f7:58:9d:b2:40:88:d6:3a:d1:84: 2e:7f:b8:b8:e1:f9:5f:83:c5:d4:55:c4:a7:1a:28:a4: 64:fc:ac:78:3b:43:a0:00:78:db:f1:cc:a6:b6:11:70: 64:2f:43:d2:74:a5:2a:50:91:e0:8d:8c:82:c5:1a:5c: dd:00:60:62:55:be:0a:ea:b9:75:0f:8d:0e:40:cd:26: 9c:63:08:3f:7d:79:c5:6b:73:fd:26:60:d3:e4:59:1e: 1d:0f:82:ea:eb:23:b3:b4:59:7f:a9:87:e8:01:c7:aa: 7b:c0:dd:0a:f0:4d:da:90:c9:57:00:4b:86:ea:58:22: ff:45:11:18:25:de:09:ee:a4:7a:4a:ea:8f:17:c9:ad: 38:15:af:fa:c0:f3:fb:1c:6c:e1:69:1f:99:4e:fe:a2: eb:66:92:77:3a:5d:8f:7a:63:9b:14:ea:95:3e:c7:e9 Fingerprint (MD5): 96:68:7A:76:9F:06:78:BC:67:85:0C:82:A8:43:14:6B Fingerprint (SHA1): 99:7D:9F:1B:F4:A7:52:9F:CF:BF:23:4F:5B:1A:90:22:19:14:37:16 Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User ... and so on... Any suggestions from anyone who has gotten an external-ca install to work? Robert -- Senior Software Engineer @ Parsons
