Hi, The install seems to be OK this way, but I'm still confused about the duplicated and the RootCA.
Cheers, Matt 2017-02-18 14:47 GMT+01:00 Matt . <[email protected]>: > Hi Florance, > > > I'm actually stil investigating this as the following occurs. > > I have removed all unneeded certs and installed the 2 intermediates > for Comodo and did an ipa-certupdate which results in this: > > #certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA > Limited,L=Salford,ST=Greater Manchester,C=GB C,, > AddTrustExternalCARoot C,, > ipaCert u,u,u > COMODORSAAddTrustCA C,, > COMODORSAAddTrustCA C,, > IPA.MYDOMAIN.TLD IPA CA CT,C,C > > > I'm curious why the COMODORSAAddTrustCA is there twice, if I remove > both and start over they are duplicated again. Also the > AddTrustExternalCARoot comes back again even when this was not > installed anymore as it's not needed. > > I'm able to install my cert after the update: > > > #certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA > Limited,L=Salford,ST=Greater Manchester,C=GB C,, > AddTrustExternalCARoot C,, > ipaCert u,u,u > COMODORSAAddTrustCA C,, > COMODORSAAddTrustCA C,, > IPA.MYDOMAIN.TLD IPA CA CT,C,C > CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated > u,u,u > > > > Now this works great for the WebGui which uses the right Certificate > for the ssl connection but ldaps on port 636 seems to use: > > CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA > Limited,L=Salford,ST=Greater Manchester,C=GB > > > Do you have any clue about this ? > > I'm also curious about what IPA syncs between all hosts, it seems to > be only the Intermediate certs and not the install domains > certificate, this needs to be installed manually after a local > #ipa-certupdate on each node ? > > I hope you can clearify this out. > > > Thanks, > > Matt > > > 2017-02-17 0:15 GMT+01:00 Matt . <[email protected]>: >> Hi Flo, >> >> Sure I can, I will look through the steps closely tomorrow and will >> create some lineup here. >> >> Cheers, >> >> Matt >> >> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>> On 02/16/2017 09:55 PM, Matt . wrote: >>>> >>>> Hi Flo! (if I may call you like that, saves some characters in typing >>>> but with this extra line it doesn't anymore :)) >>>> >>>> This works perfectly, thank you very much. >>>> >>> Hi Matt, >>> >>> glad I could help. What did you do differently that could explain the >>> failure, though? Maybe the cert installation needs some hardening. >>> >>> Flo. >>> >>>> No questions further actually :) >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>> >>>>> On 02/15/2017 05:40 PM, Matt . wrote: >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> Is there any update on this ? I need to install 3 other instances but >>>>>> I would like to know upfront if it might be a bug. >>>>>> >>>>> Hi Matt, >>>>> >>>>> I was not able to reproduce your issue. Here were my steps: >>>>> >>>>> Install FreeIPA with self-signed cert: >>>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD >>>>> >>>>> The certificate chain is ca1 -> subca -> server. >>>>> Install the root CA: >>>>> kinit admin >>>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem >>>>> ipa-certupdate >>>>> >>>>> Install the subca: >>>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem >>>>> ipa-certupdate >>>>> >>>>> Install the server cert: >>>>> ipa-server-certinstall -d -w server.pem key.pem >>>>> >>>>> ipa-certupdate basically retrieves the certificates from LDAP (below >>>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias >>>>> but >>>>> I don't remember it removing certs. >>>>> >>>>> Can you check the content of your LDAP server? >>>>> kinit admin >>>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b >>>>> cn=certificates,cn=ipa,cn=etc,$BASEDN >>>>> >>>>> It should contain one entry for each CA that you added. >>>>> >>>>> Flo. >>>>> >>>>>> Thanks, >>>>>> >>>>>> Matt >>>>>> >>>>>> 2017-02-14 17:59 GMT+01:00 Matt . <[email protected]>: >>>>>>> >>>>>>> >>>>>>> Hi Florance, >>>>>>> >>>>>>> Sure I can, here you go: >>>>>>> >>>>>>> Fedora 24 >>>>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215 >>>>>>> >>>>>>> I installed this server as self-signed CA >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>>>> >>>>>>>> >>>>>>>> On 02/14/2017 05:43 PM, Matt . wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Florance, >>>>>>>>> >>>>>>>>> Thanks for your update, good to see some good into about it. For >>>>>>>>> Comodo I have install all these: >>>>>>>>> >>>>>>>>> AddTrustExternalCARoot.crt >>>>>>>>> COMODORSAAddTrustCA.crt >>>>>>>>> COMODORSADomainValidationSecureServerCA.crt >>>>>>>>> >>>>>>>>> Where COMODORSADomainValidationSecureServerCA.crt is not needed as >>>>>>>>> far as I know but the same issues still exist, the Server-Cert is >>>>>>>>> removed again on ipa-certupdate and fails. >>>>>>>>> >>>>>>>>> I have tried this with setenforce 0 >>>>>>>>> >>>>>>>> Hi Matt, >>>>>>>> >>>>>>>> can you provide more info in order to reproduce the issue? >>>>>>>> - which OS are you using >>>>>>>> - IPA version >>>>>>>> - how did you install ipa server (CA-less or with self-signed CA or >>>>>>>> with >>>>>>>> externally-signed CA?) >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Flo. >>>>>>>> >>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 02/14/2017 02:54 PM, Matt . wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Certs are valid, I will check what you mentioned. >>>>>>>>>>> >>>>>>>>>>> I'm also no fan of bundles, more the seperate files but this >>>>>>>>>>> doesn't >>>>>>>>>>> seem to work always. At least for the CAroot a bundle was required. >>>>>>>>>>> >>>>>>>>>> Hi Matt, >>>>>>>>>> >>>>>>>>>> if your certificate was provided by an intermediate CA, you need to >>>>>>>>>> add >>>>>>>>>> each >>>>>>>>>> CA before running ipa-server-certinstall (start from the top-level >>>>>>>>>> CA >>>>>>>>>> with >>>>>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the >>>>>>>>>> intermediate >>>>>>>>>> CA >>>>>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...) >>>>>>>>>> >>>>>>>>>> There is also a known issue with ipa-certupdate and SELinux in >>>>>>>>>> enforcing >>>>>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024). >>>>>>>>>> >>>>>>>>>> Flo. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Matt >>>>>>>>>>> >>>>>>>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>>>>>> <[email protected]>: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Have you validated the cert (and dumped the contents) from the >>>>>>>>>>>> command >>>>>>>>>>>> line using the openssl tools? I’ve seen the message you are >>>>>>>>>>>> seeing >>>>>>>>>>>> before, >>>>>>>>>>>> for some reason I seem to remember that it has to do with either a >>>>>>>>>>>> missing >>>>>>>>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END >>>>>>>>>>>> CERTIFICATE---- (an error from copy and pasting and not copying >>>>>>>>>>>> the >>>>>>>>>>>> actual >>>>>>>>>>>> file). >>>>>>>>>>>> >>>>>>>>>>>> I’ve never used certupdate so if what is described above doesn’t >>>>>>>>>>>> help >>>>>>>>>>>> somebody else will have to chime in. >>>>>>>>>>>> >>>>>>>>>>>> Dan >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Dan, >>>>>>>>>>>>> >>>>>>>>>>>>> Ues i have tried that and I get the message that it misses the >>>>>>>>>>>>> full >>>>>>>>>>>>> chain for the certificate. >>>>>>>>>>>>> >>>>>>>>>>>>> My issue is more, why is the Server-Cert being removed on a >>>>>>>>>>>>> certupdate >>>>>>>>>>>>> ? >>>>>>>>>>>>> >>>>>>>>>>>>> Cheers, >>>>>>>>>>>>> >>>>>>>>>>>>> Matt >>>>>>>>>>>>> >>>>>>>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>>>>>>>> <[email protected]>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with >>>>>>>>>>>>>> the >>>>>>>>>>>>>> cert only (disclaimer: I’ve never done this). >>>>>>>>>>>>>> >>>>>>>>>>>>>> Dan >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <[email protected]> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Guys, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm trying to install a 3rd party certificate using: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> When I run the install command for the certificate itself: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key >>>>>>>>>>>>>>> mydomain_com_bundle.crt >>>>>>>>>>>>>>> Directory Manager password: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Enter private key unlock password: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> list index out of range >>>>>>>>>>>>>>> The ipa-server-certinstall command failed. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from >>>>>>>>>>>>>>> /etc/httpd/alias and the install fails because of this. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> What can I do to solve this ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Matt >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>> >>> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
