Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...

2016-08-23 Thread Zarko Dudic



On 8/16/2016 11:09 AM, Alexander Bokovoy wrote:

On Tue, 16 Aug 2016, Zarko Dudic wrote:

Thanks Rob. This command creates the CSR.

# ipa-server-install  --subject 
'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca


And verification with command :

# openssl req -in /root/ipa.csr -noout -text

... shows "Subject: C=US, ST=California, L=Town, O=Corporation, 
OU=CorpArch, CN=Certificate Authority"


Since the CN is unconfigurable, how it's expected to be signed by 3rd 
party external CA, they usually want to see FQDN.

This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.



Hi Alexander,
It makes sense what you say here, I was trying this because the doc 
"Linux Domain Identity, Authentication, and Policy Guide" in the  " 
2.3.2. Determining What CA Configuration to Use" reads:


An external CA is the root CA

The Certificate System CA is subordinate to an external CA.
However, all certificates for the IdM domain are still issued by the 
Certificate System instance.
The external CA can be a corporate CA or a third-party CA, such as 
Verisign or Thawte.
The certificates issued within the IdM domain are potentially subject to 
restrictions set by the external root CA for attributes like the 
validity period.







This is quite different from signing a server certificate.

--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.



--
Thanks,
Zarko

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...

2016-08-16 Thread Alexander Bokovoy

On Tue, 16 Aug 2016, Zarko Dudic wrote:

Thanks Rob. This command creates the CSR.

# ipa-server-install  --subject 
'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca


And verification with command :

# openssl req -in /root/ipa.csr -noout -text

... shows "Subject: C=US, ST=California, L=Town, O=Corporation, 
OU=CorpArch, CN=Certificate Authority"


Since the CN is unconfigurable, how it's expected to be signed by 3rd 
party external CA, they usually want to see FQDN.

This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.

This is quite different from signing a server certificate.

--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...

2016-08-16 Thread Zarko Dudic

Thanks Rob. This command creates the CSR.

# ipa-server-install  --subject 
'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca


And verification with command :

# openssl req -in /root/ipa.csr -noout -text

... shows "Subject: C=US, ST=California, L=Town, O=Corporation, 
OU=CorpArch, CN=Certificate Authority"


Since the CN is unconfigurable, how it's expected to be signed by 3rd 
party external CA, they usually want to see FQDN.


Can you please provide more details (or ref URL) about "right CA 
extensions". Thanks in advance.



On 8/16/2016 9:04 AM, Rob Crittenden wrote:

Zarko Dudic wrote:


Hi all,

I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.

1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.


I seriously doubt Verisign will issue this certificate regardless of 
format. Don't confuse a CA signing certificate with a server certificate.


But who knows. Try the --subject-base option to ipa-server-install but 
note that the CN is currently unconfigurable, it will always be 
cn=Certificate Authority.



2) Okay, so I try this workaround, create cert request manually with
command:

  # certutil -R -d /tmp -a -g 2048 -s
'CN=,OU=,O=,L=,ST=California,C=US'


This will never work. Besides the fact that you didn't request a 
certificate with the right CA extensions, the private key that 
generated the CSR is now in a place that dogtag will never find it. 
This is unrelated to the error below but it would blow up eventually.



3) I verify request via
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
(looks good)

4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
via email.

5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)

6) Now the problem begins, run the comamnd:

# ipa-server-install --external-cert-file=/tmp/freeipa.cer
--external-cert-file=/tmp/Company_CA_G2.pem
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv


If memory serves IPA knows what the subject of it's CA should look 
like (remember subject-base?) and it isn't finding it and blowing up.


rob



--
Thanks,
Zarko

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...

2016-08-16 Thread Rob Crittenden

Zarko Dudic wrote:


Hi all,

I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.

1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.


I seriously doubt Verisign will issue this certificate regardless of 
format. Don't confuse a CA signing certificate with a server certificate.


But who knows. Try the --subject-base option to ipa-server-install but 
note that the CN is currently unconfigurable, it will always be 
cn=Certificate Authority.



2) Okay, so I try this workaround, create cert request manually with
command:

  # certutil -R -d /tmp -a -g 2048 -s
'CN=,OU=,O=,L=,ST=California,C=US'


This will never work. Besides the fact that you didn't request a 
certificate with the right CA extensions, the private key that generated 
the CSR is now in a place that dogtag will never find it. This is 
unrelated to the error below but it would blow up eventually.



3) I verify request via
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
(looks good)

4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
via email.

5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)

6) Now the problem begins, run the comamnd:

# ipa-server-install --external-cert-file=/tmp/freeipa.cer
--external-cert-file=/tmp/Company_CA_G2.pem
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv


If memory serves IPA knows what the subject of it's CA should look like 
(remember subject-base?) and it isn't finding it and blowing up.


rob




One of screen messages are:

ipa : DEBUGstderr=
ipa : DEBUGStarting external process
ipa : DEBUGargs='/usr/bin/certutil' '-d' '/tmp/tmplsusxY'
'-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority -
G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign
Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'
ipa : DEBUGProcess finished, return code=0
ipa : DEBUGstdout=
ipa : DEBUGstderr=
ipa.ipapython.install.cli.install_tool(Server): DEBUG  File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
 return_value = self.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run
 cfgr.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 279, in run
 self.validate()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 288, in validate
 for nothing in self._validator():
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
 util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
 raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 517, in _configure
 validator.next()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
 self.__parent._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
 util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
 super(ComponentBase, self)._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
 util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
 raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
 for nothing in self._installer(self.parent):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1612, in main
 install_check(self)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/in

[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...

2016-08-16 Thread Zarko Dudic


Hi all,

I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with 
External CA as the Root CA. Here are details.


1) Run "ipa-server-install --external-ca", and send .csr to be signed by 
External CA, but VeriSign rejects signing this since info like 
Organization, OU, L, ST, C are missing.


2) Okay, so I try this workaround, create cert request manually with 
command:


 # certutil -R -d /tmp -a -g 2048 -s 
'CN=,OU=,O=,L=,ST=California,C=US'


3) I verify request via 
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp 
(looks good)


4) Now VeriSign accepts .csr and I receive the certificate (.cer file) 
via email.


5) I also download two additional certs for trust chain, one is 
VeriSign's public primary root CA and the second one is Company's 
itermediate CA, both (.pem files)


6) Now the problem begins, run the comamnd:

   # ipa-server-install --external-cert-file=/tmp/freeipa.cer 
--external-cert-file=/tmp/Company_CA_G2.pem 
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv



One of screen messages are:

ipa : DEBUGstderr=
ipa : DEBUGStarting external process
ipa : DEBUGargs='/usr/bin/certutil' '-d' '/tmp/tmplsusxY' 
'-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority - 
G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign 
Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'

ipa : DEBUGProcess finished, return code=0
ipa : DEBUGstdout=
ipa : DEBUGstderr=
ipa.ipapython.install.cli.install_tool(Server): DEBUG  File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute

return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", 
line 311, in run

cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 279, in run

self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 288, in validate

for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 343, in __runner

self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 365, in _handle_exception

util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 333, in __runner

step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 87, in run_generator_with_yield_from

raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 65, in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 517, in _configure

validator.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 343, in __runner

self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 421, in _handle_exception

self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 365, in _handle_exception

util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 418, in _handle_exception

super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 365, in _handle_exception

util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 333, in __runner

step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 87, in run_generator_with_yield_from

raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 65, in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
line 63, in _install

for nothing in self._installer(self.parent):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1612, in main

install_check(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 263, in decorated

func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 601, in install_check

ca.install_check(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 
69, in install_check

options.external_cert_files, options.subject)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 1016, in load_external_cert

"IPA CA certificate not found in %s" % (", ".join(files)))

ipa.ipapython.install.cli.install_tool(Server): DEBUGThe 
ipa-server-install command failed, exception: ScriptError: IPA CA 
certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem, 
/t