subject:"Re\: \[Freeipa\-users\] Cannot install 3rd party certificate"

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-21 Thread Matt .

Hi Flo,

Yes it does! Thanks for that. Is it not possible to remove a
certificate fully as it always syncs this way ? Or remove it from
/etc/httpd/alias, then from ldap and then sync again ?

Cheers,

Matt

2017-02-21 9:03 GMT+01:00 Florence Blanc-Renaud :
> On 02/20/2017 04:09 PM, Matt . wrote:
>>
>> Hi Rob,
>>
>> Yes it does, I understood that there was some reason the duplicate
>> might exist, but I wonder more why does the RootCA show up when I
>> removed it and comes back after adding the two intermediates ?
>>
> Hi Matt,
>
> when ipa-cacert-manage install is run, it adds an LDAP entry for the new CA
> certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN.
> When ipa-certupdate is run, it adds all the certificates found in
> cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias.
> So even if you remove one certificate from /etc/httpd/alias, the next
> ipa-certupdate command will re-add this CA cert if it is still present in
> LDAP.
>
> Hope this clarifies,
> Flo.
>
>
>
>> Thanks
>>
>> Matt
>>
>>
>> 2017-02-20 15:20 GMT+01:00 Rob Crittenden :
>>>
>>> Matt . wrote:

 Hi,

 The install seems to be OK this way, but I'm still confused about the
 duplicated and the RootCA.
>>>
>>>
>>> What does this show?
>>>
>>> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>>>
>>> I'm guessing it will show two certs with different serial numbers, which
>>> means this is a-ok.
>>>
>>> rob
>>>

 2017-02-18 14:47 GMT+01:00 Matt . :
>
> Hi Florance,
>
>
> I'm actually stil investigating this as the following occurs.
>
> I have removed all unneeded certs and installed the 2 intermediates
> for Comodo and did an ipa-certupdate which results in this:
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot   C,,
> ipaCert  u,u,u
> COMODORSAAddTrustCA  C,,
> COMODORSAAddTrustCA  C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>
>
> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
> both and start over they are duplicated again. Also the
> AddTrustExternalCARoot comes back again even when this was not
> installed anymore as it's not needed.
>
> I'm able to install my cert after the update:
>
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot   C,,
> ipaCert  u,u,u
> COMODORSAAddTrustCA  C,,
> COMODORSAAddTrustCA  C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control
> Validated u,u,u
>
>
>
> Now this works great for the WebGui which uses the right Certificate
> for the ssl connection but ldaps on port 636 seems to use:
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
>
>
> Do you have any clue about this ?
>
> I'm also curious about what IPA syncs between all hosts, it seems to
> be only the Intermediate certs and not the install domains
> certificate, this needs to be installed manually after a local
> #ipa-certupdate on each node ?
>
> I hope you can clearify this out.
>
>
> Thanks,
>
> Matt
>
>
> 2017-02-17 0:15 GMT+01:00 Matt . :
>>
>> Hi Flo,
>>
>> Sure I can, I will look through the steps closely tomorrow and will
>> create some lineup here.
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :
>>>
>>> On 02/16/2017 09:55 PM, Matt . wrote:


 Hi Flo! (if I may call you like that, saves some characters in
 typing
 but with this extra line it doesn't anymore :))

 This works perfectly, thank you very much.

>>> Hi Matt,
>>>
>>> glad I could help. What did you do differently that could explain the
>>> failure, though? Maybe the cert installation needs some hardening.
>>>
>>>

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-21 Thread Florence Blanc-Renaud


On 02/20/2017 04:09 PM, Matt . wrote:

Hi Rob,

Yes it does, I understood that there was some reason the duplicate
might exist, but I wonder more why does the RootCA show up when I
removed it and comes back after adding the two intermediates ?


Hi Matt,

when ipa-cacert-manage install is run, it adds an LDAP entry for the new 
CA certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN.
When ipa-certupdate is run, it adds all the certificates found in 
cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias.
So even if you remove one certificate from /etc/httpd/alias, the next 
ipa-certupdate command will re-add this CA cert if it is still present 
in LDAP.


Hope this clarifies,
Flo.



Thanks

Matt


2017-02-20 15:20 GMT+01:00 Rob Crittenden :

Matt . wrote:

Hi,

The install seems to be OK this way, but I'm still confused about the
duplicated and the RootCA.


What does this show?

#3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA

I'm guessing it will show two certs with different serial numbers, which
means this is a-ok.

rob



2017-02-18 14:47 GMT+01:00 Matt . :

Hi Florance,


I'm actually stil investigating this as the following occurs.

I have removed all unneeded certs and installed the 2 intermediates
for Comodo and did an ipa-certupdate which results in this:

#certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
AddTrustExternalCARoot   C,,
ipaCert  u,u,u
COMODORSAAddTrustCA  C,,
COMODORSAAddTrustCA  C,,
IPA.MYDOMAIN.TLD IPA CA CT,C,C


I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
both and start over they are duplicated again. Also the
AddTrustExternalCARoot comes back again even when this was not
installed anymore as it's not needed.

I'm able to install my cert after the update:


#certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
AddTrustExternalCARoot   C,,
ipaCert  u,u,u
COMODORSAAddTrustCA  C,,
COMODORSAAddTrustCA  C,,
IPA.MYDOMAIN.TLD IPA CA CT,C,C
CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u



Now this works great for the WebGui which uses the right Certificate
for the ssl connection but ldaps on port 636 seems to use:

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB


Do you have any clue about this ?

I'm also curious about what IPA syncs between all hosts, it seems to
be only the Intermediate certs and not the install domains
certificate, this needs to be installed manually after a local
#ipa-certupdate on each node ?

I hope you can clearify this out.


Thanks,

Matt


2017-02-17 0:15 GMT+01:00 Matt . :

Hi Flo,

Sure I can, I will look through the steps closely tomorrow and will
create some lineup here.

Cheers,

Matt

2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :

On 02/16/2017 09:55 PM, Matt . wrote:


Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.


Hi Matt,

glad I could help. What did you do differently that could explain the
failure, though? Maybe the cert installation needs some hardening.

Flo.


No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-20 Thread Matt .

Hi Rob,

Yes it does, I understood that there was some reason the duplicate
might exist, but I wonder more why does the RootCA show up when I
removed it and comes back after adding the two intermediates ?

Thanks

Matt


2017-02-20 15:20 GMT+01:00 Rob Crittenden :
> Matt . wrote:
>> Hi,
>>
>> The install seems to be OK this way, but I'm still confused about the
>> duplicated and the RootCA.
>
> What does this show?
>
> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>
> I'm guessing it will show two certs with different serial numbers, which
> means this is a-ok.
>
> rob
>
>>
>> 2017-02-18 14:47 GMT+01:00 Matt . :
>>> Hi Florance,
>>>
>>>
>>> I'm actually stil investigating this as the following occurs.
>>>
>>> I have removed all unneeded certs and installed the 2 intermediates
>>> for Comodo and did an ipa-certupdate which results in this:
>>>
>>> #certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust 
>>> Attributes
>>>  
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>> AddTrustExternalCARoot   C,,
>>> ipaCert  u,u,u
>>> COMODORSAAddTrustCA  C,,
>>> COMODORSAAddTrustCA  C,,
>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>>
>>>
>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>>> both and start over they are duplicated again. Also the
>>> AddTrustExternalCARoot comes back again even when this was not
>>> installed anymore as it's not needed.
>>>
>>> I'm able to install my cert after the update:
>>>
>>>
>>> #certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust 
>>> Attributes
>>>  
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>> AddTrustExternalCARoot   C,,
>>> ipaCert  u,u,u
>>> COMODORSAAddTrustCA  C,,
>>> COMODORSAAddTrustCA  C,,
>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated 
>>> u,u,u
>>>
>>>
>>>
>>> Now this works great for the WebGui which uses the right Certificate
>>> for the ssl connection but ldaps on port 636 seems to use:
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>>
>>>
>>> Do you have any clue about this ?
>>>
>>> I'm also curious about what IPA syncs between all hosts, it seems to
>>> be only the Intermediate certs and not the install domains
>>> certificate, this needs to be installed manually after a local
>>> #ipa-certupdate on each node ?
>>>
>>> I hope you can clearify this out.
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>> 2017-02-17 0:15 GMT+01:00 Matt . :
 Hi Flo,

 Sure I can, I will look through the steps closely tomorrow and will
 create some lineup here.

 Cheers,

 Matt

 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :
> On 02/16/2017 09:55 PM, Matt . wrote:
>>
>> Hi Flo! (if I may call you like that, saves some characters in typing
>> but with this extra line it doesn't anymore :))
>>
>> This works perfectly, thank you very much.
>>
> Hi Matt,
>
> glad I could help. What did you do differently that could explain the
> failure, though? Maybe the cert installation needs some hardening.
>
> Flo.
>
>> No questions further actually :)
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-20 Thread Rob Crittenden

Matt . wrote:
> Hi,
> 
> The install seems to be OK this way, but I'm still confused about the
> duplicated and the RootCA.

What does this show?

#3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA

I'm guessing it will show two certs with different serial numbers, which
means this is a-ok.

rob

> 
> 2017-02-18 14:47 GMT+01:00 Matt . :
>> Hi Florance,
>>
>>
>> I'm actually stil investigating this as the following occurs.
>>
>> I have removed all unneeded certs and installed the 2 intermediates
>> for Comodo and did an ipa-certupdate which results in this:
>>
>> #certutil -L -d /etc/httpd/alias
>>
>> Certificate Nickname Trust Attributes
>>  
>> SSL,S/MIME,JAR/XPI
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>> AddTrustExternalCARoot   C,,
>> ipaCert  u,u,u
>> COMODORSAAddTrustCA  C,,
>> COMODORSAAddTrustCA  C,,
>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>
>>
>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>> both and start over they are duplicated again. Also the
>> AddTrustExternalCARoot comes back again even when this was not
>> installed anymore as it's not needed.
>>
>> I'm able to install my cert after the update:
>>
>>
>> #certutil -L -d /etc/httpd/alias
>>
>> Certificate Nickname Trust Attributes
>>  
>> SSL,S/MIME,JAR/XPI
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>> AddTrustExternalCARoot   C,,
>> ipaCert  u,u,u
>> COMODORSAAddTrustCA  C,,
>> COMODORSAAddTrustCA  C,,
>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated 
>> u,u,u
>>
>>
>>
>> Now this works great for the WebGui which uses the right Certificate
>> for the ssl connection but ldaps on port 636 seems to use:
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>
>>
>> Do you have any clue about this ?
>>
>> I'm also curious about what IPA syncs between all hosts, it seems to
>> be only the Intermediate certs and not the install domains
>> certificate, this needs to be installed manually after a local
>> #ipa-certupdate on each node ?
>>
>> I hope you can clearify this out.
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 2017-02-17 0:15 GMT+01:00 Matt . :
>>> Hi Flo,
>>>
>>> Sure I can, I will look through the steps closely tomorrow and will
>>> create some lineup here.
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :
 On 02/16/2017 09:55 PM, Matt . wrote:
>
> Hi Flo! (if I may call you like that, saves some characters in typing
> but with this extra line it doesn't anymore :))
>
> This works perfectly, thank you very much.
>
 Hi Matt,

 glad I could help. What did you do differently that could explain the
 failure, though? Maybe the cert installation needs some hardening.

 Flo.

> No questions further actually :)
>
> Cheers,
>
> Matt
>
> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-20 Thread Matt .

Hi,

The install seems to be OK this way, but I'm still confused about the
duplicated and the RootCA.

Cheers,

Matt

2017-02-18 14:47 GMT+01:00 Matt . :
> Hi Florance,
>
>
> I'm actually stil investigating this as the following occurs.
>
> I have removed all unneeded certs and installed the 2 intermediates
> for Comodo and did an ipa-certupdate which results in this:
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot   C,,
> ipaCert  u,u,u
> COMODORSAAddTrustCA  C,,
> COMODORSAAddTrustCA  C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>
>
> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
> both and start over they are duplicated again. Also the
> AddTrustExternalCARoot comes back again even when this was not
> installed anymore as it's not needed.
>
> I'm able to install my cert after the update:
>
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot   C,,
> ipaCert  u,u,u
> COMODORSAAddTrustCA  C,,
> COMODORSAAddTrustCA  C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated 
> u,u,u
>
>
>
> Now this works great for the WebGui which uses the right Certificate
> for the ssl connection but ldaps on port 636 seems to use:
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
>
>
> Do you have any clue about this ?
>
> I'm also curious about what IPA syncs between all hosts, it seems to
> be only the Intermediate certs and not the install domains
> certificate, this needs to be installed manually after a local
> #ipa-certupdate on each node ?
>
> I hope you can clearify this out.
>
>
> Thanks,
>
> Matt
>
>
> 2017-02-17 0:15 GMT+01:00 Matt . :
>> Hi Flo,
>>
>> Sure I can, I will look through the steps closely tomorrow and will
>> create some lineup here.
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :
>>> On 02/16/2017 09:55 PM, Matt . wrote:

 Hi Flo! (if I may call you like that, saves some characters in typing
 but with this extra line it doesn't anymore :))

 This works perfectly, thank you very much.

>>> Hi Matt,
>>>
>>> glad I could help. What did you do differently that could explain the
>>> failure, though? Maybe the cert installation needs some hardening.
>>>
>>> Flo.
>>>
 No questions further actually :)

 Cheers,

 Matt

 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
>
> On 02/15/2017 05:40 PM, Matt . wrote:
>>
>>
>> Hi,
>>
>> Is there any update on this ? I need to install 3 other instances but
>> I would like to know upfront if it might be a bug.
>>
> Hi Matt,
>
> I was not able to reproduce your issue. Here were my steps:
>
> Install FreeIPA with self-signed cert:
> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>
> The certificate chain is ca1 -> subca -> server.
> Install the root CA:
> kinit admin
> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
> ipa-certupdate
>
> Install the subca:
> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
> ipa-certupdate
>
> Install the server cert:
> ipa-server-certinstall -d -w server.pem key.pem
>
> ipa-certupdate basically retrieves the certificates from LDAP (below
> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
> but
> I don't remember it removing certs.
>
> Can you check the content of your LDAP server?
> kinit admin
> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
> cn=certificates,cn=ipa,cn=etc,$BASEDN
>
> It should contain one entry for each CA that you added.
>
> Flo.
>
>> Thanks,
>>
>> Matt
>>
>> 2017-02-14 17:59 GMT+01:00 Matt . :
>>>
>>>
>>> Hi Florance,
>>>
>>> Sure I can, here you go:
>>>

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Matt .

Hi Flo,

Sure I can, I will look through the steps closely tomorrow and will
create some lineup here.

Cheers,

Matt

2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :
> On 02/16/2017 09:55 PM, Matt . wrote:
>>
>> Hi Flo! (if I may call you like that, saves some characters in typing
>> but with this extra line it doesn't anymore :))
>>
>> This works perfectly, thank you very much.
>>
> Hi Matt,
>
> glad I could help. What did you do differently that could explain the
> failure, though? Maybe the cert installation needs some hardening.
>
> Flo.
>
>> No questions further actually :)
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
>>>
>>> On 02/15/2017 05:40 PM, Matt . wrote:


 Hi,

 Is there any update on this ? I need to install 3 other instances but
 I would like to know upfront if it might be a bug.

>>> Hi Matt,
>>>
>>> I was not able to reproduce your issue. Here were my steps:
>>>
>>> Install FreeIPA with self-signed cert:
>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>
>>> The certificate chain is ca1 -> subca -> server.
>>> Install the root CA:
>>> kinit admin
>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>> ipa-certupdate
>>>
>>> Install the subca:
>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>>> ipa-certupdate
>>>
>>> Install the server cert:
>>> ipa-server-certinstall -d -w server.pem key.pem
>>>
>>> ipa-certupdate basically retrieves the certificates from LDAP (below
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
>>> but
>>> I don't remember it removing certs.
>>>
>>> Can you check the content of your LDAP server?
>>> kinit admin
>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>>
>>> It should contain one entry for each CA that you added.
>>>
>>> Flo.
>>>
 Thanks,

 Matt

 2017-02-14 17:59 GMT+01:00 Matt . :
>
>
> Hi Florance,
>
> Sure I can, here you go:
>
> Fedora 24
> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>
> I installed this server as self-signed CA
>
> Cheers,
>
> Matt
>
>
>
>
> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :
>>
>>
>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>
>>>
>>>
>>> Hi Florance,
>>>
>>> Thanks for your update, good to see some good into about it. For
>>> Comodo I have install all these:
>>>
>>> AddTrustExternalCARoot.crt
>>> COMODORSAAddTrustCA.crt
>>> COMODORSADomainValidationSecureServerCA.crt
>>>
>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>> far as I know but the same issues still exist, the Server-Cert is
>>> removed again on ipa-certupdate and fails.
>>>
>>> I have tried this with setenforce 0
>>>
>> Hi Matt,
>>
>> can you provide more info in order to reproduce the issue?
>> - which OS are you using
>> - IPA version
>> - how did you install ipa server (CA-less or with self-signed CA or
>> with
>> externally-signed CA?)
>>
>> Thanks,
>> Flo.
>>
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :



 On 02/14/2017 02:54 PM, Matt . wrote:
>
>
>
>
> Certs are valid, I will check what you mentioned.
>
> I'm also no fan of bundles, more the seperate files but this
> doesn't
> seem to work always. At least for the CAroot a bundle was required.
>
 Hi Matt,

 if your certificate was provided by an intermediate CA, you need to
 add
 each
 CA before running ipa-server-certinstall (start from the top-level
 CA
 with
 ipa-cacert-manage install, then run ipa-certupdate, then the
 intermediate
 CA
 with ipa-cacert-manage install, then ipa-certupdate etc...)

 There is also a known issue with ipa-certupdate and SELinux in
 enforcing
 mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

 Flo.


> Matt
>
> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
> :
>>
>>
>>
>>
>> Have you validated the cert (and dumped the contents) from the
>> command
>> line using the openssl tools?  I’ve seen the message you are
>> seeing
>> before,
>> for some reason I seem to remember that it has to do with either a
>> missing
>> or an extra - at either the -BEGIN CERTIFICATE or -END
>> CERTIFICATE (an error from copy and pasting and

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Florence Blanc-Renaud

On 02/16/2017 09:55 PM, Matt . wrote:

Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.

Hi Matt,

glad I could help. What did you do differently that could explain the
failure, though? Maybe the cert installation needs some hardening.

Flo.

No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :

On 02/15/2017 05:40 PM, Matt . wrote:

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.

Hi Matt,

I was not able to reproduce your issue. Here were my steps:

Install FreeIPA with self-signed cert:
ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD

The certificate chain is ca1 -> subca -> server.
Install the root CA:
kinit admin
ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
ipa-certupdate

Install the subca:
ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
ipa-certupdate

Install the server cert:
ipa-server-certinstall -d -w server.pem key.pem

ipa-certupdate basically retrieves the certificates from LDAP (below
cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
I don't remember it removing certs.

Can you check the content of your LDAP server?
kinit admin
ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
cn=certificates,cn=ipa,cn=etc,$BASEDN

It should contain one entry for each CA that you added.

Flo.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . :

Hi Florance,

Sure I can, here you go:

Fedora 24
Freeipa VERSION: 4.4.2, API_VERSION: 2.215

I installed this server as self-signed CA

Cheers,

Matt

2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :

On 02/14/2017 05:43 PM, Matt . wrote:

Hi Florance,

Thanks for your update, good to see some good into about it. For
Comodo I have install all these:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Where COMODORSADomainValidationSecureServerCA.crt is not needed as
far as I know but the same issues still exist, the Server-Cert is
removed again on ipa-certupdate and fails.

I have tried this with setenforce 0

Hi Matt,

can you provide more info in order to reproduce the issue?
- which OS are you using
- IPA version
- how did you install ipa server (CA-less or with self-signed CA or with
externally-signed CA?)

Thanks,
Flo.

Cheers,

Matt

2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :

On 02/14/2017 02:54 PM, Matt . wrote:

Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.

Hi Matt,

if your certificate was provided by an intermediate CA, you need to
add
each
CA before running ipa-server-certinstall (start from the top-level CA
with
ipa-cacert-manage install, then run ipa-certupdate, then the
intermediate
CA
with ipa-cacert-manage install, then ipa-certupdate etc...)

There is also a known issue with ipa-certupdate and SELinux in
enforcing
mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

Flo.

Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
:

Have you validated the cert (and dumped the contents) from the
command
line using the openssl tools? I’ve seen the message you are seeing
before,
for some reason I seem to remember that it has to do with either a
missing
or an extra - at either the -BEGIN CERTIFICATE or -END
CERTIFICATE (an error from copy and pasting and not copying the
actual
file).

I’ve never used certupdate so if what is described above doesn’t
help
somebody else will have to chime in.

Dan

On Feb 14, 2017, at 2:18 AM, Matt . wrote:

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a
certupdate
?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
:

Is the chain in mydomain_com_bundle.crt? Have you tried it with
the
cert only (disclaimer: I’ve never done this).

Dan

On Feb 13, 2017, at 4:08 PM, Matt .
wrote:

Hi Guys,

I'm trying to install a 3rd party certificate using:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key
mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.

If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Matt .

Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.

No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
> On 02/15/2017 05:40 PM, Matt . wrote:
>>
>> Hi,
>>
>> Is there any update on this ? I need to install 3 other instances but
>> I would like to know upfront if it might be a bug.
>>
> Hi Matt,
>
> I was not able to reproduce your issue. Here were my steps:
>
> Install FreeIPA with self-signed cert:
> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>
> The certificate chain is ca1 -> subca -> server.
> Install the root CA:
> kinit admin
> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
> ipa-certupdate
>
> Install the subca:
> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
> ipa-certupdate
>
> Install the server cert:
> ipa-server-certinstall -d -w server.pem key.pem
>
> ipa-certupdate basically retrieves the certificates from LDAP (below
> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
> I don't remember it removing certs.
>
> Can you check the content of your LDAP server?
> kinit admin
> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
> cn=certificates,cn=ipa,cn=etc,$BASEDN
>
> It should contain one entry for each CA that you added.
>
> Flo.
>
>> Thanks,
>>
>> Matt
>>
>> 2017-02-14 17:59 GMT+01:00 Matt . :
>>>
>>> Hi Florance,
>>>
>>> Sure I can, here you go:
>>>
>>> Fedora 24
>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>
>>> I installed this server as self-signed CA
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>>
>>>
>>>
>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :

 On 02/14/2017 05:43 PM, Matt . wrote:
>
>
> Hi Florance,
>
> Thanks for your update, good to see some good into about it. For
> Comodo I have install all these:
>
> AddTrustExternalCARoot.crt
> COMODORSAAddTrustCA.crt
> COMODORSADomainValidationSecureServerCA.crt
>
>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
> far as I know but the same issues still exist, the Server-Cert is
> removed again on ipa-certupdate and fails.
>
> I have tried this with setenforce 0
>
 Hi Matt,

 can you provide more info in order to reproduce the issue?
 - which OS are you using
 - IPA version
 - how did you install ipa server (CA-less or with self-signed CA or with
 externally-signed CA?)

 Thanks,
 Flo.


> Cheers,
>
> Matt
>
> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :
>>
>>
>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>
>>>
>>>
>>> Certs are valid, I will check what you mentioned.
>>>
>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>> seem to work always. At least for the CAroot a bundle was required.
>>>
>> Hi Matt,
>>
>> if your certificate was provided by an intermediate CA, you need to
>> add
>> each
>> CA before running ipa-server-certinstall (start from the top-level CA
>> with
>> ipa-cacert-manage install, then run ipa-certupdate, then the
>> intermediate
>> CA
>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>
>> There is also a known issue with ipa-certupdate and SELinux in
>> enforcing
>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>
>> Flo.
>>
>>
>>> Matt
>>>
>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>> :



 Have you validated the cert (and dumped the contents) from the
 command
 line using the openssl tools?  I’ve seen the message you are seeing
 before,
 for some reason I seem to remember that it has to do with either a
 missing
 or an extra - at either the -BEGIN CERTIFICATE or -END
 CERTIFICATE (an error from copy and pasting and not copying the
 actual
 file).

 I’ve never used certupdate so if what is described above doesn’t
 help
 somebody else will have to chime in.

 Dan

> On Feb 14, 2017, at 2:18 AM, Matt .  wrote:
>
> Hi Dan,
>
> Ues i have tried that and I get the message that it misses the full
> chain for the certificate.
>
> My issue is more, why is the Server-Cert being removed on a
> certupdate
> ?
>
> Cheers,
>
> Matt
>
> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
> :
>>
>>
>>
>> Is the chain in mydomain_com_bundle.crt?

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Florence Blanc-Renaud

On 02/15/2017 05:40 PM, Matt . wrote:

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.

Hi Matt,

I was not able to reproduce your issue. Here were my steps:

Install FreeIPA with self-signed cert:
ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD

The certificate chain is ca1 -> subca -> server.
Install the root CA:
kinit admin
ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
ipa-certupdate

Install the subca:
ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
ipa-certupdate

Install the server cert:
ipa-server-certinstall -d -w server.pem key.pem

ipa-certupdate basically retrieves the certificates from LDAP (below
cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
but I don't remember it removing certs.

Can you check the content of your LDAP server?
kinit admin
ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
cn=certificates,cn=ipa,cn=etc,$BASEDN

It should contain one entry for each CA that you added.

Flo.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . :

Hi Florance,

Sure I can, here you go:

Fedora 24
Freeipa VERSION: 4.4.2, API_VERSION: 2.215

I installed this server as self-signed CA

Cheers,

Matt

2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :

On 02/14/2017 05:43 PM, Matt . wrote:

Hi Florance,

Thanks for your update, good to see some good into about it. For
Comodo I have install all these:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Where COMODORSADomainValidationSecureServerCA.crt is not needed as
far as I know but the same issues still exist, the Server-Cert is
removed again on ipa-certupdate and fails.

I have tried this with setenforce 0

Hi Matt,

can you provide more info in order to reproduce the issue?
- which OS are you using
- IPA version
- how did you install ipa server (CA-less or with self-signed CA or with
externally-signed CA?)

Thanks,
Flo.

Cheers,

Matt

2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :

On 02/14/2017 02:54 PM, Matt . wrote:

Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.

Hi Matt,

if your certificate was provided by an intermediate CA, you need to add
each
CA before running ipa-server-certinstall (start from the top-level CA
with
ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
CA
with ipa-cacert-manage install, then ipa-certupdate etc...)

There is also a known issue with ipa-certupdate and SELinux in enforcing
mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

Flo.

Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
:

Have you validated the cert (and dumped the contents) from the command
line using the openssl tools? I’ve seen the message you are seeing
before,
for some reason I seem to remember that it has to do with either a
missing
or an extra - at either the -BEGIN CERTIFICATE or -END
CERTIFICATE (an error from copy and pasting and not copying the
actual
file).

I’ve never used certupdate so if what is described above doesn’t help
somebody else will have to chime in.

Dan

On Feb 14, 2017, at 2:18 AM, Matt . wrote:

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a certupdate
?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
:

Is the chain in mydomain_com_bundle.crt? Have you tried it with the
cert only (disclaimer: I’ve never done this).

Dan

On Feb 13, 2017, at 4:08 PM, Matt . wrote:

Hi Guys,

I'm trying to install a 3rd party certificate using:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key
mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.

If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Matt

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-15 Thread Matt .

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . :
> Hi Florance,
>
> Sure I can, here you go:
>
> Fedora 24
> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>
> I installed this server as self-signed CA
>
> Cheers,
>
> Matt
>
>
>
>
> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :
>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>
>>> Hi Florance,
>>>
>>> Thanks for your update, good to see some good into about it. For
>>> Comodo I have install all these:
>>>
>>> AddTrustExternalCARoot.crt
>>> COMODORSAAddTrustCA.crt
>>> COMODORSADomainValidationSecureServerCA.crt
>>>
>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>> far as I know but the same issues still exist, the Server-Cert is
>>> removed again on ipa-certupdate and fails.
>>>
>>> I have tried this with setenforce 0
>>>
>> Hi Matt,
>>
>> can you provide more info in order to reproduce the issue?
>> - which OS are you using
>> - IPA version
>> - how did you install ipa server (CA-less or with self-signed CA or with
>> externally-signed CA?)
>>
>> Thanks,
>> Flo.
>>
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :

 On 02/14/2017 02:54 PM, Matt . wrote:
>
>
> Certs are valid, I will check what you mentioned.
>
> I'm also no fan of bundles, more the seperate files but this doesn't
> seem to work always. At least for the CAroot a bundle was required.
>
 Hi Matt,

 if your certificate was provided by an intermediate CA, you need to add
 each
 CA before running ipa-server-certinstall (start from the top-level CA
 with
 ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
 CA
 with ipa-cacert-manage install, then ipa-certupdate etc...)

 There is also a known issue with ipa-certupdate and SELinux in enforcing
 mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

 Flo.


> Matt
>
> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
> :
>>
>>
>> Have you validated the cert (and dumped the contents) from the command
>> line using the openssl tools?  I’ve seen the message you are seeing
>> before,
>> for some reason I seem to remember that it has to do with either a
>> missing
>> or an extra - at either the -BEGIN CERTIFICATE or -END
>> CERTIFICATE (an error from copy and pasting and not copying the
>> actual
>> file).
>>
>> I’ve never used certupdate so if what is described above doesn’t help
>> somebody else will have to chime in.
>>
>> Dan
>>
>>> On Feb 14, 2017, at 2:18 AM, Matt .  wrote:
>>>
>>> Hi Dan,
>>>
>>> Ues i have tried that and I get the message that it misses the full
>>> chain for the certificate.
>>>
>>> My issue is more, why is the Server-Cert being removed on a certupdate
>>> ?
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>> :


 Is the chain in mydomain_com_bundle.crt?  Have you tried it with the
 cert only (disclaimer: I’ve never done this).

 Dan

> On Feb 13, 2017, at 4:08 PM, Matt .  wrote:
>
> Hi Guys,
>
> I'm trying to install a 3rd party certificate using:
>
>
>
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>
> When I run the install command for the certificate itself:
>
> ]# ipa-server-certinstall -w -d mydomain_com.key
> mydomain_com_bundle.crt
> Directory Manager password:
>
> Enter private key unlock password:
>
> list index out of range
> The ipa-server-certinstall command failed.
>
>
> If I do a #ipa-certupdate the Server-Cert is removed from
> /etc/httpd/alias and the install fails because of this.
>
> What can I do to solve this ?
>
> Thanks,
>
> Matt
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



>>
>

>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-14 Thread Matt .

Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.

Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] :
> Have you validated the cert (and dumped the contents) from the command line 
> using the openssl tools?  I’ve seen the message you are seeing before, for 
> some reason I seem to remember that it has to do with either a missing or an 
> extra - at either the -BEGIN CERTIFICATE or -END CERTIFICATE 
> (an error from copy and pasting and not copying the actual file).
>
> I’ve never used certupdate so if what is described above doesn’t help 
> somebody else will have to chime in.
>
> Dan
>
>> On Feb 14, 2017, at 2:18 AM, Matt .  wrote:
>>
>> Hi Dan,
>>
>> Ues i have tried that and I get the message that it misses the full
>> chain for the certificate.
>>
>> My issue is more, why is the Server-Cert being removed on a certupdate ?
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] 
>> :
>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert 
>>> only (disclaimer: I’ve never done this).
>>>
>>> Dan
>>>
 On Feb 13, 2017, at 4:08 PM, Matt .  wrote:

 Hi Guys,

 I'm trying to install a 3rd party certificate using:

 http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

 When I run the install command for the certificate itself:

 ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
 Directory Manager password:

 Enter private key unlock password:

 list index out of range
 The ipa-server-certinstall command failed.


 If I do a #ipa-certupdate the Server-Cert is removed from
 /etc/httpd/alias and the install fails because of this.

 What can I do to solve this ?

 Thanks,

 Matt

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-14 Thread Matt .

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a certupdate ?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] :
> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert 
> only (disclaimer: I’ve never done this).
>
> Dan
>
>> On Feb 13, 2017, at 4:08 PM, Matt .  wrote:
>>
>> Hi Guys,
>>
>> I'm trying to install a 3rd party certificate using:
>>
>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>
>> When I run the install command for the certificate itself:
>>
>> ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
>> Directory Manager password:
>>
>> Enter private key unlock password:
>>
>> list index out of range
>> The ipa-server-certinstall command failed.
>>
>>
>> If I do a #ipa-certupdate the Server-Cert is removed from
>> /etc/httpd/alias and the install fails because of this.
>>
>> What can I do to solve this ?
>>
>> Thanks,
>>
>> Matt
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-13 Thread Sullivan, Daniel [CRI]

Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert only 
(disclaimer: I’ve never done this).

Dan

> On Feb 13, 2017, at 4:08 PM, Matt .  wrote:
> 
> Hi Guys,
> 
> I'm trying to install a 3rd party certificate using:
> 
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
> 
> When I run the install command for the certificate itself:
> 
> ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
> Directory Manager password:
> 
> Enter private key unlock password:
> 
> list index out of range
> The ipa-server-certinstall command failed.
> 
> 
> If I do a #ipa-certupdate the Server-Cert is removed from
> /etc/httpd/alias and the install fails because of this.
> 
> What can I do to solve this ?
> 
> Thanks,
> 
> Matt
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

Re: [Freeipa-users] Cannot install 3rd party certificate

13 matches

Site Navigation

Mail list logo

Footer information