On 12/01/2017 10:22 AM, Andrew Radygin via FreeIPA-users wrote:
Wow, Flo!!! You were right, there was such cert with another key. Done that in such way: ldapdelete "cn=Comodo3,cn=certificates,cn=ipa,cn=etc,dc=domain,dc=net" /usr/bin/certutil -d /etc/ipa/nssdb -D -n Comodo3 /usr/bin/certutil -d /etc/httpd/alias/ -D -n Comodo3 ipa-cacert-manager install comodo_inter2.crt ipa-server-certinstall -w comodo_base.crt comodo.key comodo_ca.crt systemctl restart httpd
Thank you, really-really thank you! :)
Well, thank you for providing confirmation that you managed to fix the issue. It's always nice to be able to close a thread on a positive outcome!
Flo
2017-12-01 11:40 GMT+03:00 Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com>:
On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote: Does anybody have any clue about what I have to do with it? Florence? Should I delete self-sign SSL from ipa-server CA completely? As I understood - there is some conflict between new CA and old, am I right? Hi, can you check if there are other certificates with the same subject name "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA" in the ldap tree (below cn=certificates,cn=ipa,cn=etc,$BASEDN), or in /etc/httpd/alias? The error seems to indicate that there is already a cert with this name but that is using a different key. If it is the case, you can remove it with ldapdelete then certutil -D and retry to run ipa-cacert-manage install. Flo 2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>: > On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote: > > Hi, > > no need to start over with a different nickname if the certificates are > already in LDAP. "ipa-cacert-manage install" adds them in the LDAP > server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would start by > checking if they are all present there: > ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b > cn=certificates,cn=ipa,cn=etc,$BASEDN > (replace BASEDN with your deployment's basedn that can be found in > /etc/ipa/default.conf) > > The entries will also contain an attribute ipakeytrust (either trusted > or distrusted). Please check that they are all trusted. All CA's in ldap directory have 'ipaKeyTrust: trusted'. > That is expected as ipa-certupdate > retrieves the certs from LDAP and > installs them in the /etc/httpd/alias NSS database. > > You can supply multiple files to ipa-server-certinstall, containing the > cert, the key, and the cert chain. For instance > ipa-server-certinstall -w server.cert server.key cachain.cert > where server.cert contains only the cert, server.key only the key, and > cachain.cert contains the root, inter1 and inter2 certs. Got it! Wow, I found what I missed. One of the certs from chain isn't adding with forllowing error: # ipa-cacert-manage -p 2xHKp17zQpdG -n Comodointer2 -t C,, install comodo_inter2.crt Installing CA certificate, please wait Failed to install the certificate: subject public key info mismatch The ipa-cacert-manage command failed. Probably this is root cause of the problem, but it's not clear for me how to resolve it. From https://www.freeipa.org/page/Troubleshooting <https://www.freeipa.org/page/Troubleshooting> <https://www.freeipa.org/page/Troubleshooting <https://www.freeipa.org/page/Troubleshooting>> I found description of the error: Subject public key info mismatch The new CA certificate issued by the external CA uses a different public / private key pair than the old CA certificate. But nothing about how to fix it... > Flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> -- Best regards, Andrew. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
-- Best regards, Andrew.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org