Hi Flo, Sure I can, I will look through the steps closely tomorrow and will create some lineup here.
Cheers, Matt 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <[email protected]>: > On 02/16/2017 09:55 PM, Matt . wrote: >> >> Hi Flo! (if I may call you like that, saves some characters in typing >> but with this extra line it doesn't anymore :)) >> >> This works perfectly, thank you very much. >> > Hi Matt, > > glad I could help. What did you do differently that could explain the > failure, though? Maybe the cert installation needs some hardening. > > Flo. > >> No questions further actually :) >> >> Cheers, >> >> Matt >> >> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>> >>> On 02/15/2017 05:40 PM, Matt . wrote: >>>> >>>> >>>> Hi, >>>> >>>> Is there any update on this ? I need to install 3 other instances but >>>> I would like to know upfront if it might be a bug. >>>> >>> Hi Matt, >>> >>> I was not able to reproduce your issue. Here were my steps: >>> >>> Install FreeIPA with self-signed cert: >>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD >>> >>> The certificate chain is ca1 -> subca -> server. >>> Install the root CA: >>> kinit admin >>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem >>> ipa-certupdate >>> >>> Install the subca: >>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem >>> ipa-certupdate >>> >>> Install the server cert: >>> ipa-server-certinstall -d -w server.pem key.pem >>> >>> ipa-certupdate basically retrieves the certificates from LDAP (below >>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias >>> but >>> I don't remember it removing certs. >>> >>> Can you check the content of your LDAP server? >>> kinit admin >>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b >>> cn=certificates,cn=ipa,cn=etc,$BASEDN >>> >>> It should contain one entry for each CA that you added. >>> >>> Flo. >>> >>>> Thanks, >>>> >>>> Matt >>>> >>>> 2017-02-14 17:59 GMT+01:00 Matt . <[email protected]>: >>>>> >>>>> >>>>> Hi Florance, >>>>> >>>>> Sure I can, here you go: >>>>> >>>>> Fedora 24 >>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215 >>>>> >>>>> I installed this server as self-signed CA >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> >>>>> >>>>> >>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>> >>>>>> >>>>>> On 02/14/2017 05:43 PM, Matt . wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi Florance, >>>>>>> >>>>>>> Thanks for your update, good to see some good into about it. For >>>>>>> Comodo I have install all these: >>>>>>> >>>>>>> AddTrustExternalCARoot.crt >>>>>>> COMODORSAAddTrustCA.crt >>>>>>> COMODORSADomainValidationSecureServerCA.crt >>>>>>> >>>>>>> Where COMODORSADomainValidationSecureServerCA.crt is not needed as >>>>>>> far as I know but the same issues still exist, the Server-Cert is >>>>>>> removed again on ipa-certupdate and fails. >>>>>>> >>>>>>> I have tried this with setenforce 0 >>>>>>> >>>>>> Hi Matt, >>>>>> >>>>>> can you provide more info in order to reproduce the issue? >>>>>> - which OS are you using >>>>>> - IPA version >>>>>> - how did you install ipa server (CA-less or with self-signed CA or >>>>>> with >>>>>> externally-signed CA?) >>>>>> >>>>>> Thanks, >>>>>> Flo. >>>>>> >>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 02/14/2017 02:54 PM, Matt . wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Certs are valid, I will check what you mentioned. >>>>>>>>> >>>>>>>>> I'm also no fan of bundles, more the seperate files but this >>>>>>>>> doesn't >>>>>>>>> seem to work always. At least for the CAroot a bundle was required. >>>>>>>>> >>>>>>>> Hi Matt, >>>>>>>> >>>>>>>> if your certificate was provided by an intermediate CA, you need to >>>>>>>> add >>>>>>>> each >>>>>>>> CA before running ipa-server-certinstall (start from the top-level >>>>>>>> CA >>>>>>>> with >>>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the >>>>>>>> intermediate >>>>>>>> CA >>>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...) >>>>>>>> >>>>>>>> There is also a known issue with ipa-certupdate and SELinux in >>>>>>>> enforcing >>>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024). >>>>>>>> >>>>>>>> Flo. >>>>>>>> >>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>>>> <[email protected]>: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Have you validated the cert (and dumped the contents) from the >>>>>>>>>> command >>>>>>>>>> line using the openssl tools? I’ve seen the message you are >>>>>>>>>> seeing >>>>>>>>>> before, >>>>>>>>>> for some reason I seem to remember that it has to do with either a >>>>>>>>>> missing >>>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END >>>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying >>>>>>>>>> the >>>>>>>>>> actual >>>>>>>>>> file). >>>>>>>>>> >>>>>>>>>> I’ve never used certupdate so if what is described above doesn’t >>>>>>>>>> help >>>>>>>>>> somebody else will have to chime in. >>>>>>>>>> >>>>>>>>>> Dan >>>>>>>>>> >>>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Dan, >>>>>>>>>>> >>>>>>>>>>> Ues i have tried that and I get the message that it misses the >>>>>>>>>>> full >>>>>>>>>>> chain for the certificate. >>>>>>>>>>> >>>>>>>>>>> My issue is more, why is the Server-Cert being removed on a >>>>>>>>>>> certupdate >>>>>>>>>>> ? >>>>>>>>>>> >>>>>>>>>>> Cheers, >>>>>>>>>>> >>>>>>>>>>> Matt >>>>>>>>>>> >>>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>>>>>> <[email protected]>: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with >>>>>>>>>>>> the >>>>>>>>>>>> cert only (disclaimer: I’ve never done this). >>>>>>>>>>>> >>>>>>>>>>>> Dan >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Guys, >>>>>>>>>>>>> >>>>>>>>>>>>> I'm trying to install a 3rd party certificate using: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA >>>>>>>>>>>>> >>>>>>>>>>>>> When I run the install command for the certificate itself: >>>>>>>>>>>>> >>>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key >>>>>>>>>>>>> mydomain_com_bundle.crt >>>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>>> >>>>>>>>>>>>> Enter private key unlock password: >>>>>>>>>>>>> >>>>>>>>>>>>> list index out of range >>>>>>>>>>>>> The ipa-server-certinstall command failed. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from >>>>>>>>>>>>> /etc/httpd/alias and the install fails because of this. >>>>>>>>>>>>> >>>>>>>>>>>>> What can I do to solve this ? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> >>>>>>>>>>>>> Matt >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
