Hi Flo, Yes it does! Thanks for that. Is it not possible to remove a certificate fully as it always syncs this way ? Or remove it from /etc/httpd/alias, then from ldap and then sync again ?
Cheers, Matt 2017-02-21 9:03 GMT+01:00 Florence Blanc-Renaud <[email protected]>: > On 02/20/2017 04:09 PM, Matt . wrote: >> >> Hi Rob, >> >> Yes it does, I understood that there was some reason the duplicate >> might exist, but I wonder more why does the RootCA show up when I >> removed it and comes back after adding the two intermediates ? >> > Hi Matt, > > when ipa-cacert-manage install is run, it adds an LDAP entry for the new CA > certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN. > When ipa-certupdate is run, it adds all the certificates found in > cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias. > So even if you remove one certificate from /etc/httpd/alias, the next > ipa-certupdate command will re-add this CA cert if it is still present in > LDAP. > > Hope this clarifies, > Flo. > > > >> Thanks >> >> Matt >> >> >> 2017-02-20 15:20 GMT+01:00 Rob Crittenden <[email protected]>: >>> >>> Matt . wrote: >>>> >>>> Hi, >>>> >>>> The install seems to be OK this way, but I'm still confused about the >>>> duplicated and the RootCA. >>> >>> >>> What does this show? >>> >>> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA >>> >>> I'm guessing it will show two certs with different serial numbers, which >>> means this is a-ok. >>> >>> rob >>> >>>> >>>> 2017-02-18 14:47 GMT+01:00 Matt . <[email protected]>: >>>>> >>>>> Hi Florance, >>>>> >>>>> >>>>> I'm actually stil investigating this as the following occurs. >>>>> >>>>> I have removed all unneeded certs and installed the 2 intermediates >>>>> for Comodo and did an ipa-certupdate which results in this: >>>>> >>>>> #certutil -L -d /etc/httpd/alias >>>>> >>>>> Certificate Nickname Trust >>>>> Attributes >>>>> >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,, >>>>> AddTrustExternalCARoot C,, >>>>> ipaCert u,u,u >>>>> COMODORSAAddTrustCA C,, >>>>> COMODORSAAddTrustCA C,, >>>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C >>>>> >>>>> >>>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove >>>>> both and start over they are duplicated again. Also the >>>>> AddTrustExternalCARoot comes back again even when this was not >>>>> installed anymore as it's not needed. >>>>> >>>>> I'm able to install my cert after the update: >>>>> >>>>> >>>>> #certutil -L -d /etc/httpd/alias >>>>> >>>>> Certificate Nickname Trust >>>>> Attributes >>>>> >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,, >>>>> AddTrustExternalCARoot C,, >>>>> ipaCert u,u,u >>>>> COMODORSAAddTrustCA C,, >>>>> COMODORSAAddTrustCA C,, >>>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C >>>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control >>>>> Validated u,u,u >>>>> >>>>> >>>>> >>>>> Now this works great for the WebGui which uses the right Certificate >>>>> for the ssl connection but ldaps on port 636 seems to use: >>>>> >>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >>>>> Limited,L=Salford,ST=Greater Manchester,C=GB >>>>> >>>>> >>>>> Do you have any clue about this ? >>>>> >>>>> I'm also curious about what IPA syncs between all hosts, it seems to >>>>> be only the Intermediate certs and not the install domains >>>>> certificate, this needs to be installed manually after a local >>>>> #ipa-certupdate on each node ? >>>>> >>>>> I hope you can clearify this out. >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Matt >>>>> >>>>> >>>>> 2017-02-17 0:15 GMT+01:00 Matt . <[email protected]>: >>>>>> >>>>>> Hi Flo, >>>>>> >>>>>> Sure I can, I will look through the steps closely tomorrow and will >>>>>> create some lineup here. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>>> >>>>>>> On 02/16/2017 09:55 PM, Matt . wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hi Flo! (if I may call you like that, saves some characters in >>>>>>>> typing >>>>>>>> but with this extra line it doesn't anymore :)) >>>>>>>> >>>>>>>> This works perfectly, thank you very much. >>>>>>>> >>>>>>> Hi Matt, >>>>>>> >>>>>>> glad I could help. What did you do differently that could explain the >>>>>>> failure, though? Maybe the cert installation needs some hardening. >>>>>>> >>>>>>> Flo. >>>>>>> >>>>>>>> No questions further actually :) >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>>>>> >>>>>>>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
