Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Hi Günther, I wrote this wrapper last year, maybe this will help. https://github.com/uZer/rootools/blob/master/pki/freeipa/gencerts.sh If you use cnames: == $ ipa host-add cname.domain --force $ ipa service-add service/fqdn $ ipa service-add service/cname.domain --force $ ipa service-add-host service/cname.domain --host fqdn In nss.conf == #NSSPassPhraseDialog builtin NSSPassPhraseDialog file:/etc/apache2/password.conf In your virtual host: == NSSEngine on NSSNickname certifnickname NSSCertificateDatabase /path/to/db NSSProtocol TLSv1.1,TLSv1.2 NSSVerifyClient none # Update this with current recommended ciphersuites NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ... Hope this is still correct, feel free to push request ;) Regards, -- Youenn Piolet piole...@gmail.com 2016-06-21 19:41 GMT+02:00 Rob Crittenden: > Günther J. Niederwimmer wrote: > >> Hello Rob, >> >> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: >> >>> Günther J. Niederwimmer wrote: >>> Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > Günther J. Niederwimmer wrote: > >> Hello >> I found any Help for the IPA Certificate but I found no way to import >> the >> IPA CA ? >> I like to create a webserver with a owncloud virtualhost and other.. >> >> But it is for me not possible to create the /etc/httpd/alias correct ? >> >> I found this in IPA DOCS >> >> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >> >> but with this command line I have a Error /etc/ipa/ca.crt have wrong >> format ? >> >> Have any a link with a working example >> > > Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > clients so the documentation is written from that perspective. > Yes. You can grab a copy from any enrolled system, including an IPA Master. > Otherwise the command looks ok assuming you were sitting in > /etc/httpd/alias when the command was executed (-d .). > Yes ;-). but certutil mean it is a wrong format from the Certificate >>> >>> $ mkdir /tmp/testdb && cd /tmp/testdb >>> $ certutil -N -d . >>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>> >> >> On my system I have this message after install ca.crt >> >> p11-kit: objects of this type cannot be created ? >> is this correct ? >> > > I'm not sure. > > A other question, have I to change the Attribute (?), IPA-server create / >> IMPORT this ca.crt with -t "CT,C,C" >> > > It isn't super important. The order of those fields is SSL, S/MIME, > code-signing. Chances are S/MIME will never be used and code-signing is > used in some older releases but only once at install, so not having those > set isn't a big deal. > > If you want things to be consistent you can use certutil -M -d . -t CT,C,C > -n 'EXAMPLE.COM IPA CA' > > rob > > > >> $ certutil -L -d . >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> EXAMPLE.COM IPA CA CT,, >>> >>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You >>> can use openssl for that: >>> >>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt >>> >>> Something is wrong on my system !! for me it is not possible to have on a enrolled ipa-client a working webserver (apache) with mod_NSS The last Tests apache mean it is the wrong "passwd" for the DB and don't start? So now I start again with a new clean /etc/httpd/alias >>> >>> Not knowing how you created the database or what your nss.conf looks >>> like it's hard to say what is going on. If you set a NSS database >>> password then you need to tell mod_nss about it. >>> >>> Typically you'd set this in nss.conf: >>> >>> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" >>> >>> and create /etc/httpd/conf/password.conf with contents like: >>> >>> internal:SecretPassword123 >>> >>> Ensure that the file is owned by apache:apache and mode 0400. >>> >> >> This is the best INFO for this file ;-) >> >> Thanks >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Günther J. Niederwimmer wrote: Hello Rob, Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello I found any Help for the IPA Certificate but I found no way to import the IPA CA ? I like to create a webserver with a owncloud virtualhost and other.. But it is for me not possible to create the /etc/httpd/alias correct ? I found this in IPA DOCS certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? Have any a link with a working example Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled clients so the documentation is written from that perspective. Yes. You can grab a copy from any enrolled system, including an IPA Master. Otherwise the command looks ok assuming you were sitting in /etc/httpd/alias when the command was executed (-d .). Yes ;-). but certutil mean it is a wrong format from the Certificate $ mkdir /tmp/testdb && cd /tmp/testdb $ certutil -N -d . $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt On my system I have this message after install ca.crt p11-kit: objects of this type cannot be created ? is this correct ? I'm not sure. A other question, have I to change the Attribute (?), IPA-server create / IMPORT this ca.crt with -t "CT,C,C" It isn't super important. The order of those fields is SSL, S/MIME, code-signing. Chances are S/MIME will never be used and code-signing is used in some older releases but only once at install, so not having those set isn't a big deal. If you want things to be consistent you can use certutil -M -d . -t CT,C,C -n 'EXAMPLE.COM IPA CA' rob $ certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA CT,, I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You can use openssl for that: $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt Something is wrong on my system !! for me it is not possible to have on a enrolled ipa-client a working webserver (apache) with mod_NSS The last Tests apache mean it is the wrong "passwd" for the DB and don't start? So now I start again with a new clean /etc/httpd/alias Not knowing how you created the database or what your nss.conf looks like it's hard to say what is going on. If you set a NSS database password then you need to tell mod_nss about it. Typically you'd set this in nss.conf: NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" and create /etc/httpd/conf/password.conf with contents like: internal:SecretPassword123 Ensure that the file is owned by apache:apache and mode 0400. This is the best INFO for this file ;-) Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Hello Rob, Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: > Günther J. Niederwimmer wrote: > > Hello, > > > > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > >> Günther J. Niederwimmer wrote: > >>> Hello > >>> I found any Help for the IPA Certificate but I found no way to import > >>> the > >>> IPA CA ? > >>> I like to create a webserver with a owncloud virtualhost and other.. > >>> > >>> But it is for me not possible to create the /etc/httpd/alias correct ? > >>> > >>> I found this in IPA DOCS > >>> > >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > >>> > >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong > >>> format ? > >>> > >>> Have any a link with a working example > >> > >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > >> clients so the documentation is written from that perspective. > > > > Yes. > > > >> You can grab a copy from any enrolled system, including an IPA Master. > >> Otherwise the command looks ok assuming you were sitting in > >> /etc/httpd/alias when the command was executed (-d .). > > > > Yes ;-). > > but certutil mean it is a wrong format from the Certificate > > $ mkdir /tmp/testdb && cd /tmp/testdb > $ certutil -N -d . > $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt On my system I have this message after install ca.crt p11-kit: objects of this type cannot be created ? is this correct ? A other question, have I to change the Attribute (?), IPA-server create / IMPORT this ca.crt with -t "CT,C,C" > $ certutil -L -d . > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > EXAMPLE.COM IPA CA CT,, > > I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You > can use openssl for that: > > $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt > > > Something is wrong on my system !! > > > > for me it is not possible to have on a enrolled ipa-client a working > > webserver (apache) with mod_NSS > > > > The last Tests apache mean it is the wrong "passwd" for the DB and don't > > start? > > > > So now I start again with a new clean /etc/httpd/alias > > Not knowing how you created the database or what your nss.conf looks > like it's hard to say what is going on. If you set a NSS database > password then you need to tell mod_nss about it. > > Typically you'd set this in nss.conf: > > NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" > > and create /etc/httpd/conf/password.conf with contents like: > > internal:SecretPassword123 > > Ensure that the file is owned by apache:apache and mode 0400. This is the best INFO for this file ;-) Thanks -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Günther J. Niederwimmer wrote: Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello I found any Help for the IPA Certificate but I found no way to import the IPA CA ? I like to create a webserver with a owncloud virtualhost and other.. But it is for me not possible to create the /etc/httpd/alias correct ? I found this in IPA DOCS certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? Have any a link with a working example Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled clients so the documentation is written from that perspective. Yes. You can grab a copy from any enrolled system, including an IPA Master. Otherwise the command looks ok assuming you were sitting in /etc/httpd/alias when the command was executed (-d .). Yes ;-). but certutil mean it is a wrong format from the Certificate $ mkdir /tmp/testdb && cd /tmp/testdb $ certutil -N -d . $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt $ certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA CT,, I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You can use openssl for that: $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt Something is wrong on my system !! for me it is not possible to have on a enrolled ipa-client a working webserver (apache) with mod_NSS The last Tests apache mean it is the wrong "passwd" for the DB and don't start? So now I start again with a new clean /etc/httpd/alias Not knowing how you created the database or what your nss.conf looks like it's hard to say what is going on. If you set a NSS database password then you need to tell mod_nss about it. Typically you'd set this in nss.conf: NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" and create /etc/httpd/conf/password.conf with contents like: internal:SecretPassword123 Ensure that the file is owned by apache:apache and mode 0400. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > Günther J. Niederwimmer wrote: > > Hello > > I found any Help for the IPA Certificate but I found no way to import the > > IPA CA ? > > I like to create a webserver with a owncloud virtualhost and other.. > > > > But it is for me not possible to create the /etc/httpd/alias correct ? > > > > I found this in IPA DOCS > > > > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > > > but with this command line I have a Error /etc/ipa/ca.crt have wrong > > format ? > > > > Have any a link with a working example > > Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > clients so the documentation is written from that perspective. Yes. > You can grab a copy from any enrolled system, including an IPA Master. > Otherwise the command looks ok assuming you were sitting in > /etc/httpd/alias when the command was executed (-d .). Yes ;-). but certutil mean it is a wrong format from the Certificate Something is wrong on my system !! for me it is not possible to have on a enrolled ipa-client a working webserver (apache) with mod_NSS The last Tests apache mean it is the wrong "passwd" for the DB and don't start? So now I start again with a new clean /etc/httpd/alias :-(. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Günther J. Niederwimmer wrote: Hello I found any Help for the IPA Certificate but I found no way to import the IPA CA ? I like to create a webserver with a owncloud virtualhost and other.. But it is for me not possible to create the /etc/httpd/alias correct ? I found this in IPC DOCS certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? Have any a link with a working example Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled clients so the documentation is written from that perspective. You can grab a copy from any enrolled system, including an IPA Master. Otherwise the command looks ok assuming you were sitting in /etc/httpd/alias when the command was executed (-d .). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
On 05/29/2016 09:18 AM, Günther J. Niederwimmer wrote: > Hello > I found any Help for the IPA Certificate but I found no way to import the IPA > CA ? > I like to create a webserver with a owncloud virtualhost and other.. > > But it is for me not possible to create the /etc/httpd/alias correct ? > > I found this in IPC DOCS > > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? > > Have any a link with a working example I have hard time understanding what the use case is, but it looks like you are looking for information in http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project