How would I validate that certs are getting added properly on a
CentOS machine system wide store?
I’m going to test it today to find out if this is a problem unique to Ubuntu/CentOS.
On Fedora the chain is put into
/etc/pki/ca-trust/source/anchors/ipa-ca.crt and update-ca-trust is executed.
There is no Debian/Ubuntu equivalent in the upstream source (it's
possible it is done in packaging). You could try something like:
cp /etc/ipa/ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
update-ca-certificates
rob
-Kevin
> On Oct 9, 2019, at 10:44 PM, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>
> On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote:
>> Seems to happen on both Ubuntu 16.04 and 18.04.
>>
>> $ lsb_release -a
>> No LSB modules are available.
>> Distributor ID: Ubuntu
>> Description: Ubuntu 16.04.6 LTS
>> Release: 16.04
>> Codename: xenial
>>
>> $ firefox --version
>> Mozilla Firefox 67.0.4
>>
>> freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed]
>> freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic]
>> firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64
>>
>>
>>
>> Ubuntu 18.04 machine:
>>
>> $ lsb_release -a
>> No LSB modules are available.
>> Distributor ID: Ubuntu
>> Description: Ubuntu 18.04.3 LTS
>> Release: 18.04
>> Codename: bionic
>>
>> freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed]
>> freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all
>> [installed,automatic]
>> firefox/bionic-updates,bionic-security,now
>> 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed]
>>
>> Where is the system trust store located? I was going to validate that
>> the freeipa ca.crt is added to the system trust store. If its not
>> there how do you add the ca.crt to the system trust store?
>>
>> Should the ipa-install-client command add the system wide trust store?
>>
> Thanks for the details. I do not know about system trust on Ubuntu.
> It could be that ipa-client on Ubuntu does add the IPA CA to system
> trust, but the Firefox/Chrome packages ignore the system trust
> store.
>
> Hopefully someone more familiar with Ubuntu can clarify.
>
> Cheers,
> Fraser
>
>> I'll try this on CentOS tomorrow to see if its just an Ubuntu issue.
>>
>>> On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
>>>
>>> On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users
wrote:
>>>> Hello,
>>>>
>>>> I’m wanting to make our https servers use a trusted certificate within
our LAN only. So for example if I have
websrv1.ny.example.com when a user uses a machine
that’s enrolled into our realm and they visit
https://websrv1.ny.example.com they
shouldn’t be prompted to accept the self signed certificate.
>>>>
>>>> I think I’m pretty close but I’m missing a small part.
>>>>
>>>> The ipa server is all setup and working. Hosts are enrolled to ipa and
have the /etc/ipa/ca.crt.
>>>>
>>>> I have created a service for the http server in IPA. I have obtained a
.key file and .crt file for my web server. Those keys for the web server are in the
appropriate location and the web server is pointing at the certs correctly.
>>>>
>>>> On my clients when I go to the web servers URl I am no longer getting a
“self signed cert” error message in the browser.
>>>>
>>>> That message has now changed to “unverified certificate authority”. Which
basically indicates to me that the browser doesn’t know if this certificate authority
should/can be trusted.
>>>>
>>>> If i go in the browser (firefox or chrome) in the certificate authority
section and import the /etc/ipa/ca.crt i get no errors in the browser about it being
unverified.
>>>>
>>>> So my question is, what am I missing to make the /etc/ipa/ca.crt file
globally available for browsers to pick up the certificate automatically?
>>>>
>>>> when we enroll a host we simply do
>>>>
>>>> freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir
>>>>
>>>> Accept the defaults, put in the password to enroll and that’s it. Is
there something I’m missing?
>>>>
>>>> -Kevin
>>>>
>>> Looks like the browser is not using the system trust store. Please
>>> provide full details of operating system and package versions for
>>> both freeipa and browser packages.
>>>
>>> Cheers,
>>> Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...