Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Youenn PIOLET]

Hi Günther,

I wrote this wrapper last year, maybe this will help.

https://github.com/uZer/rootools/blob/master/pki/freeipa/gencerts.sh

If you use cnames:
==
$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn

In nss.conf
==
#NSSPassPhraseDialog builtin
NSSPassPhraseDialog file:/etc/apache2/password.conf


In your virtual host:
==

NSSEngine on
NSSNickname certifnickname
NSSCertificateDatabase /path/to/db
NSSProtocol TLSv1.1,TLSv1.2

NSSVerifyClient none

# Update this with current recommended ciphersuites
NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
  ...

Hope this is still correct, feel free to push request ;)

Regards,


--
Youenn Piolet
piole...@gmail.com


2016-06-21 19:41 GMT+02:00 Rob Crittenden :

> Günther J. Niederwimmer wrote:
>
>> Hello Rob,
>>
>> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
>>
>>> Günther J. Niederwimmer wrote:
>>>
 Hello,

 Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:

> Günther J. Niederwimmer wrote:
>
>> Hello
>> I found any Help for the IPA Certificate but I found no way to import
>> the
>> IPA CA ?
>> I like to create a webserver with a owncloud virtualhost and other..
>>
>> But it is for me not possible to create the /etc/httpd/alias correct ?
>>
>> I found this in IPA DOCS
>>
>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>
>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
>> format ?
>>
>> Have any a link with a working example
>>
>
> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
> clients so the documentation is written from that perspective.
>

 Yes.

 You can grab a copy from any enrolled system, including an IPA Master.
> Otherwise the command looks ok assuming you were sitting in
> /etc/httpd/alias when the command was executed (-d .).
>

 Yes ;-).
 but certutil mean it is a wrong format from the Certificate

>>>
>>> $ mkdir /tmp/testdb && cd /tmp/testdb
>>> $ certutil -N -d .
>>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>
>>
>> On my system I have this message after install ca.crt
>>
>> p11-kit: objects of this type cannot be created ?
>> is this correct ?
>>
>
> I'm not sure.
>
> A other question, have I to change the Attribute (?), IPA-server create /
>> IMPORT this ca.crt with -t "CT,C,C"
>>
>
> It isn't super important. The order of those fields is SSL, S/MIME,
> code-signing. Chances are S/MIME will never be used and code-signing is
> used in some older releases but only once at install, so not having those
> set isn't a big deal.
>
> If you want things to be consistent you can use certutil -M -d . -t CT,C,C
> -n 'EXAMPLE.COM IPA CA'
>
> rob
>
>
>
>> $ certutil -L -d .
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> EXAMPLE.COM IPA CA   CT,,
>>>
>>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
>>> can use openssl for that:
>>>
>>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
>>>
>>> Something is wrong on my system !!

 for me it is not possible to have on a enrolled ipa-client a working
 webserver (apache) with mod_NSS

 The last Tests apache mean it is the wrong "passwd" for the DB and don't
 start?

 So now I start again with a new clean /etc/httpd/alias

>>>
>>> Not knowing how you created the database or what your nss.conf looks
>>> like it's hard to say what is going on. If you set a NSS database
>>> password then you need to tell mod_nss about it.
>>>
>>> Typically you'd set this in nss.conf:
>>>
>>> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
>>>
>>> and create /etc/httpd/conf/password.conf with contents like:
>>>
>>> internal:SecretPassword123
>>>
>>> Ensure that the file is owned by apache:apache and mode 0400.
>>>
>>
>> This is the best INFO for this file ;-)
>>
>> Thanks
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for 

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Rob Crittenden]

Günther J. Niederwimmer wrote:

Hello Rob,

Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:

Günther J. Niederwimmer wrote:

Hello,

Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:

Günther J. Niederwimmer wrote:

Hello
I found any Help for the IPA Certificate but I found no way to import
the
IPA CA ?
I like to create a webserver with a owncloud virtualhost and other..

But it is for me not possible to create the /etc/httpd/alias correct ?

I found this in IPA DOCS

certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

but with this command line I have a Error /etc/ipa/ca.crt have wrong
format ?

Have any a link with a working example


Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
clients so the documentation is written from that perspective.


Yes.


You can grab a copy from any enrolled system, including an IPA Master.
Otherwise the command looks ok assuming you were sitting in
/etc/httpd/alias when the command was executed (-d .).


Yes ;-).
but certutil mean it is a wrong format from the Certificate


$ mkdir /tmp/testdb && cd /tmp/testdb
$ certutil -N -d .
$ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt


On my system I have this message after install ca.crt

p11-kit: objects of this type cannot be created ?
is this correct ?


I'm not sure.


A other question, have I to change the Attribute (?), IPA-server create /
IMPORT this ca.crt with -t "CT,C,C"


It isn't super important. The order of those fields is SSL, S/MIME, 
code-signing. Chances are S/MIME will never be used and code-signing is 
used in some older releases but only once at install, so not having 
those set isn't a big deal.


If you want things to be consistent you can use certutil -M -d . -t 
CT,C,C -n 'EXAMPLE.COM IPA CA'


rob




$ certutil -L -d .

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA   CT,,

I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
can use openssl for that:

$ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt


Something is wrong on my system !!

for me it is not possible to have on a enrolled ipa-client a working
webserver (apache) with mod_NSS

The last Tests apache mean it is the wrong "passwd" for the DB and don't
start?

So now I start again with a new clean /etc/httpd/alias


Not knowing how you created the database or what your nss.conf looks
like it's hard to say what is going on. If you set a NSS database
password then you need to tell mod_nss about it.

Typically you'd set this in nss.conf:

NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"

and create /etc/httpd/conf/password.conf with contents like:

internal:SecretPassword123

Ensure that the file is owned by apache:apache and mode 0400.


This is the best INFO for this file ;-)

Thanks



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Günther J . Niederwimmer]

Hello Rob,

Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
> Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
> >> Günther J. Niederwimmer wrote:
> >>> Hello
> >>> I found any Help for the IPA Certificate but I found no way to import
> >>> the
> >>> IPA CA ?
> >>> I like to create a webserver with a owncloud virtualhost and other..
> >>> 
> >>> But it is for me not possible to create the /etc/httpd/alias correct ?
> >>> 
> >>> I found this in IPA DOCS
> >>> 
> >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
> >>> 
> >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
> >>> format ?
> >>> 
> >>> Have any a link with a working example
> >> 
> >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
> >> clients so the documentation is written from that perspective.
> > 
> > Yes.
> > 
> >> You can grab a copy from any enrolled system, including an IPA Master.
> >> Otherwise the command looks ok assuming you were sitting in
> >> /etc/httpd/alias when the command was executed (-d .).
> > 
> > Yes ;-).
> > but certutil mean it is a wrong format from the Certificate
> 
> $ mkdir /tmp/testdb && cd /tmp/testdb
> $ certutil -N -d .
> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

On my system I have this message after install ca.crt

p11-kit: objects of this type cannot be created ?
is this correct ?

A other question, have I to change the Attribute (?), IPA-server create / 
IMPORT this ca.crt with -t "CT,C,C"

> $ certutil -L -d .
> 
> Certificate Nickname Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> EXAMPLE.COM IPA CA   CT,,
> 
> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
> can use openssl for that:
> 
> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
> 
> > Something is wrong on my system !!
> > 
> > for me it is not possible to have on a enrolled ipa-client a working
> > webserver (apache) with mod_NSS
> > 
> > The last Tests apache mean it is the wrong "passwd" for the DB and don't
> > start?
> > 
> > So now I start again with a new clean /etc/httpd/alias
> 
> Not knowing how you created the database or what your nss.conf looks
> like it's hard to say what is going on. If you set a NSS database
> password then you need to tell mod_nss about it.
> 
> Typically you'd set this in nss.conf:
> 
> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
> 
> and create /etc/httpd/conf/password.conf with contents like:
> 
> internal:SecretPassword123
> 
> Ensure that the file is owned by apache:apache and mode 0400.

This is the best INFO for this file ;-)

Thanks

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Rob Crittenden]

Günther J. Niederwimmer wrote:

Hello,

Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:

Günther J. Niederwimmer wrote:

Hello
I found any Help for the IPA Certificate but I found no way to import the
IPA CA ?
I like to create a webserver with a owncloud virtualhost and other..

But it is for me not possible to create the /etc/httpd/alias correct ?

I found this in IPA DOCS

certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

but with this command line I have a Error /etc/ipa/ca.crt have wrong
format ?

Have any a link with a working example


Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
clients so the documentation is written from that perspective.

Yes.


You can grab a copy from any enrolled system, including an IPA Master.
Otherwise the command looks ok assuming you were sitting in
/etc/httpd/alias when the command was executed (-d .).


Yes ;-).
but certutil mean it is a wrong format from the Certificate


$ mkdir /tmp/testdb && cd /tmp/testdb
$ certutil -N -d .
$ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
$ certutil -L -d .

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA   CT,,

I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You 
can use openssl for that:


$ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt


Something is wrong on my system !!

for me it is not possible to have on a enrolled ipa-client a working webserver
(apache) with mod_NSS

The last Tests apache mean it is the wrong "passwd" for the DB and don't
start?

So now I start again with a new clean /etc/httpd/alias


Not knowing how you created the database or what your nss.conf looks 
like it's hard to say what is going on. If you set a NSS database 
password then you need to tell mod_nss about it.


Typically you'd set this in nss.conf:

NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"

and create /etc/httpd/conf/password.conf with contents like:

internal:SecretPassword123

Ensure that the file is owned by apache:apache and mode 0400.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Günther J . Niederwimmer]

Hello,

Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
> Günther J. Niederwimmer wrote:
> > Hello
> > I found any Help for the IPA Certificate but I found no way to import the
> > IPA CA ?
> > I like to create a webserver with a owncloud virtualhost and other..
> > 
> > But it is for me not possible to create the /etc/httpd/alias correct ?
> > 
> > I found this in IPA DOCS
> > 
> > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
> > 
> > but with this command line I have a Error /etc/ipa/ca.crt have wrong
> > format ?
> > 
> > Have any a link with a working example
> 
> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
> clients so the documentation is written from that perspective.
Yes.
 
> You can grab a copy from any enrolled system, including an IPA Master.
> Otherwise the command looks ok assuming you were sitting in
> /etc/httpd/alias when the command was executed (-d .).

Yes ;-).
but certutil mean it is a wrong format from the Certificate

Something is wrong on my system !!

for me it is not possible to have on a enrolled ipa-client a working webserver 
(apache) with mod_NSS

The last Tests apache mean it is the wrong "passwd" for the DB and don't 
start?

So now I start again with a new clean /etc/httpd/alias

:-(.
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Rob Crittenden]

Günther J. Niederwimmer wrote:

Hello
I found any Help for the IPA Certificate but I found no way to import the IPA
CA ?
I like to create a webserver with a owncloud virtualhost and other..

But it is for me not possible to create the /etc/httpd/alias correct ?

I found this in IPC DOCS

certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

but with this command line I have a Error /etc/ipa/ca.crt have wrong format ?

Have any a link with a working example


Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled 
clients so the documentation is written from that perspective.


You can grab a copy from any enrolled system, including an IPA Master. 
Otherwise the command looks ok assuming you were sitting in 
/etc/httpd/alias when the command was executed (-d .).


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Martin Kosek]

On 05/29/2016 09:18 AM, Günther J. Niederwimmer wrote:
> Hello
> I found any Help for the IPA Certificate but I found no way to import the IPA 
> CA ?
> I like to create a webserver with a owncloud virtualhost and other..
> 
> But it is for me not possible to create the /etc/httpd/alias correct ?
> 
> I found this in IPC DOCS
>  
> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
> 
> but with this command line I have a Error /etc/ipa/ca.crt have wrong format ?
> 
> Have any a link with a working example

I have hard time understanding what the use case is, but it looks like you are
looking for information in

http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project