Also, I once followed the instruction about "Using 3rd part certificates for HTTP/LDAP" at https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, for my environment: IPA 4.2 on RHEL7
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt # ipa-certupdate # ipa-server-certinstall -w -d mysite.key mysite.crt # systemctl restart httpd.service # systemctl restart [email protected] It failed at the step to restart httpd.service. Thanks! On Thu, Sep 29, 2016 at 5:03 AM, beeth beeth <[email protected]> wrote: > I am trying to set up IPA servers with Verisign certificate, so that the > Admin Web console can use public signed certificate to meet company's > security requirement. But when I try to follow Red Hat's instructions at > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/install-server.html#install-server-external-ca, > 2.3.5. Installing a Server with an External CA as the Root CA, > at the first step it says to generate CSR by adding the --external-ca > option to the ipa-server-install utility, which does generate a CRS at > /root/ipa.csr. However, the ipa-server-install command in fact doesn't ask > for Distinguished Name (DN) or the organization info(like country, state, > etc.), which are required in the CSR. Without a valid CSR file, I can't > request for new Verisign certs. Did I miss something? > > Originally I once tried to change the default certificate for Apache(the > Web Admin console) ONLY to the Verisign one, by adding the certificates to > the /etc/httpd/alias database with the command: > # ipa-server-certinstall -w --http_pin=test verisign.pk12 > And updated the nss.conf for httpd, so that the new Nickname is used to > point to the Verisign certs. That worked well for the website. However, the > IPA client installation failed after that for the "ipa-client-install": > > ERROR Joining realm failed: libcurl failed to execute the HTTP POST > transaction, explaining: Peer's certificate issuer has been marked as not > trusted by the user. > > Even I tried to also update the certificate for the Directory > service(ipa-server-certinstall -d ... ), the client installation still > failed. I believe the new Verisign cert messed up the communication of the > IPA components. Then I am thinking to install the IPA server from scratch > with the Verisign cert, but then I hit the CSR problem described above. > > Please advise. Thanks! >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
