Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Florence > > > > Can you please guide us > > > > We are getting below errors > > > > 1. *Installing a CA Certificate Manually * > > > > [root@centralaaa01 Apache]# > > [root@centralaaa01 Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem > > Installing CA certificate, please wait > > Not a valid CA certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > > The ipa-cacert-manage command failed. > > [root@centralaaa01 Apache]# > > [root@centralaaa01 Apache]# ls
Any chance you can share the file you're trying to import? It is failing because the certificate is literally not a CA. It doesn't have the CA constraint. Where did this CA come from? Is it a self-created PKI? I don't think you've said which version of IPA is this. > > > ============================================================= > > > > 2. *Installing Third-Party Certificates for HTTP or LDAP* > > > > [root@centralaaa01 Apache]# ipa-server-certinstall --http --dirsrv > /root/central.key 1f1f7ab616938168.crt > > Directory Manager password: > > > > Enter private key unlock password: This isn't something set by IPA. Someone created the private key. Whoever did that should have the password. > > > The full certificate chain is not present in /root/central.key, > 1f1f7ab616938168.crt > > The ipa-server-certinstall command failed. > > [root@centralaaa01 Apache]# Assuming that the other certificate is the "CA" then that needs to be loaded first. rob > > > > > > Regards > > Sai > > > > *From:*Polavarapu Manideep Sai > *Sent:* 20 November 2022 21:37 > *To:* 'Florence Blanc-Renaud' <f...@redhat.com>; FreeIPA users list > <freeipa-users@lists.fedorahosted.org> > *Subject:* RE: [Freeipa-users] Installing Third-Party Certificates-Help > > > > Hi Florence > > > > As per your suggestion I have followed "Installing a CA Certificate > Manually" guide > > > > We are getting below error uoon executing > > > > *[root@central ~]# ipa-cacert-manage install > /tmp/Apache/1f1f7ab616938168.pem -v* > > * * > > * * > > > > ipa: DEBUG: importing plugin module ipaserver.plugins.whoami > > ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver > > ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection > context.ldap2_49475728 > > Installing CA certificate, please wait > > ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for > SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-ONMOBILE-COM.socket > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4cdb170> > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -N -f > /tmp/tmpW6jE9j/pwdfile.txt -f /tmp/tmpW6jE9j/pwdfile.txt > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n > CN=*.ipa.example.com -t C,, -f /tmp/tmpW6jE9j/pwdfile.txt > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n > IPA.EXAMPLE.COM IPA CA -t CT,C,C -f /tmp/tmpW6jE9j/pwdfile.txt > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection > context.ldap2_49475728 > > ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in > execute > > return_value = self.run() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", > line 119, in run > > rc = self.install() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", > line 365, in install > > "troubleshooting guide)" % e) > > > > ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The > ipa-cacert-manage command failed, exception: ScriptError: Not a valid CA > certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > > ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: *Not a > valid CA certificate: not a CA certificate (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)* > > ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The > ipa-cacert-manage command failed. > > [root@central~]# > > > > > > Please guide us to proceed further > > > > > > Regards > > Sai > > *From:*Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> > *Sent:* 31 October 2022 19:12 > *To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > *Cc:* Polavarapu Manideep Sai <manideep....@onmobile.com > <mailto:manideep....@onmobile.com>> > *Subject:* Re: [Freeipa-users] Installing Third-Party Certificates-Help > > > > > > *CAUTION.*This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > Hi, > > > > On Sat, Oct 29, 2022 at 3:53 PM Polavarapu Manideep Sai via > FreeIPA-users <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hi Team, > > > > We need your help or support > > > > I have a master IPA server and 2 Replica IPA Servers, i want to > install third party certificates in my setup > > > > a. master.ipa.example.com <http://master.ipa.example.com> > > b. replica1.ipa.example.com <http://replica1.ipa.example.com> > > c. replica2.ipa.example.com <http://replica2.ipa.example.com> > > > > > > 1. *Generated new CSR/wildcard certificate on master IPA server for > the domain "*.ipa.example.com <http://ipa.example.com>" and shared > to third party vendor and they have shared two zip files one for > apache and other for tomcat as shown below, i see crt and pem files > in zip files as shown below after unzip* > > > > a. _.ipa.onmobile.com_Apache.zip > > b. _.ipa.onmobile.com_TOMCAT.zip > > > > *unzipped:* > > > > [root@dir01 tmp]# tree Apache/ > > Apache/ > > *├── 1f1f7ab616938168.crt* > > *├── 1f1f7ab616938168.pem* > > *├── gd_bundle-g2-g1.crt* > > *└── _.ipa.onmobile.com_Apache.zip* > > > > 0 directories, 4 files > > > > > > [root@dir01 tmp]# tree Tomcat/ > > Tomcat/ > > *├── 1f1f7ab616938168.crt* > > *├── 1f1f7ab616938168.pem* > > *├── gd_bundle-g2-g1.crt* > > *├── gdig2.crt.pem* > > *└── _.ipa.onmobile.com_TOMCAT.zip* > > > > 0 directories, 5 files > > > > > > 2. *Followed the Redhat documentation but not understood which of > the following one is applicable in my case for the received > certificates* > > > > Installing Third-Party Certificates for HTTP or LDAP > > > > Installing a CA Certificate Manually > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/third-party-certs-http-ldap > > > > > > Can you please let us know the step by step procedure that how to > install the certificates > > > > The certificate that you received has been signed by the vendor's CA > (Certificate Authority). This CA needs to be trusted by IPA, this is > achieved by following the steps from "Installing a CA Certificate Manually". > > Note that the vendor may provide you with a CA chain, in which case the > top-level CA and all the intermediate CAs need to be trusted by IPA. > > > > When the CA chain is trusted, you can then install the new certificate > for apache, following "Installing Third-Party Certificates for HTTP or > LDAP". > > > > can you please also comment on below query > > > > 3.*If i install the certificate will it get replaced in > "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and > dirsrv databases ?* > > /etc/pki/pki-tomcat/alias/ > > /etc/httpd/alias/ > > /etc/dirsrv/slapd-IPA-EXAMPLE-COM > > > > It depends on which certificate you want to replace: > > - If ipa-server-install is run with --http, the provided certificate > will replace the Server-Cert in /etc/httpd/alias. This is the server > certificate for Apache/httpd. > > - If ipa-server-install is run with --dirsrv, the provided certificate > will replace the Server-Cert in /etc/dirsrv/slapd-IPA-EXAMPLE-COM. This > is the server certificate for the LDAP server. > > > > The command does not replace the certificate in > /etc/pki/pki-tomcat/alias/. This NSS database contains the certificates > related to PKI (the Certificate Server for IPA). > > > > The instructions from "Installing a CA Certificate Manually" *add* the > CA chain in the 3 NSS databases you mentioned (they do not replace IPA > CA but rather add new CA). > > > > Hope this clarifies, > > flo > > > > > > Please let us know if any more details required > > > > > > Sai > > > > ------------------------------------------------------------------------ > > > DISCLAIMER: The information in this message is confidential and may > be legally privileged. It is intended solely for the addressee. > Access to this message by anyone else is unauthorized. If you are > not the intended recipient, any disclosure, copying, or distribution > of the message, or any action or omission taken by you in reliance > on it, is prohibited and may be unlawful. Please immediately contact > the sender if you have received this message in error. Further, this > e-mail may contain viruses and all reasonable precaution to minimize > the risk arising there from is taken by OnMobile. OnMobile is not > liable for any damage sustained by you as a result of any virus in > this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > ------------------------------------------------------------------------ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to > this message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or > any action or omission taken by you in reliance on it, is prohibited and > may be unlawful. Please immediately contact the sender if you have > received this message in error. Further, this e-mail may contain viruses > and all reasonable precaution to minimize the risk arising there from is > taken by OnMobile. OnMobile is not liable for any damage sustained by > you as a result of any virus in this e-mail. All applicable virus checks > should be carried out by you before opening this e-mail or any > attachment thereto. > Thank you - OnMobile Global Limited. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
