A followup on this:
This isn't "fixed"... But I have worked around the error by disabling CRL
checking in Windows. Here's a link with the workaround I used, and more
specific information on the error I encountered:
On Fri, Mar 18, 2022 at 8:12 PM Tyrell Jentink <tyrell(a)jentink.net> wrote:
Thank you for your assistance!
:/ The suspicion is that my certs are wrong? As opposed to just telling
Windows where to find the CRL? Lame...
OK, let's investigate! I was neither good at obscuring my domain heiarchy,
nor did it end up mattering if I have to share my certs, so let's give up
on that.
At my network edge, my firewall is redirecting all outbound DNS traffic to
a DNS Forwarder at my edge network. I'm also pointing
dc.rxrhouse.net to
that edge DNS Forwarder directly. That edge DNS Forwarder is blocking
lookups to
rxrhouse.net, that way none of the lookups leak to public
resolvers and never get my public DNS records. I do own the domain. It's
just that IPA whined when it could find my public records without NS
delegations. I have no intention of any of this being on the public
internet...
I have an IPA server at
dc.rxrhouse.net, serving rxrhouse.net's DNS
internally, serveing DNS at that tier of the heiarchy, delegating
lin.rxrhouse.net and
win.rxrhouse.net as NS records and A records to
pdc.win.rxrhouse.net and
pdc.lin.rxrhouse.net.
dc.rxrhouse.net is the Root CA, dc.rxrhouse.net's root certificate
(Certificate #1 in IPAs Certificate Manager) is attached as
dc_rxrhouse_net-root.crt.
On
dc.rxrhouse.net, I created a SubCA profile. I got it's config from
here:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
I also added
win.rxrhouse.net and
lin.rxrhouse.net as Host Principals,
and as noted below, added ADCS' default CN as a Host Alias to
win.rxrhouse.net's Host Principal.
Under that, I have a pdc.lin.rxrhouse.net... I installed that as a
Subordinate CA, and signed it's CSR with
dc.rxrhouse.net, and installed
that cert back to
pdx.lin.rxrhouse.net, and it seems to work fine... I
mean, it's running, it isn't giving any errors... I don't know how it is
relevant, but that cert is attached as pdc_lin_rxrhouse_net-root.crt
pdc.win.rxrhouse is a Windows Server (With GUI Features) 2022 Active
Directory Domain Services server. It has my users and Windows hosts
associated with it; Once certs are working, pdc.win.rxrhouse will be
Interforest Trusted with
pdc.lin.rxrhouse.net, so Linux hosts have
Windows users.
pdc.win.rxrhouse.net seems to work, doesn't give me any
grief, but it doesn't have a cert, cuz it gets it's cert from ADCS...
stb.win.rxrhouse.net is where I'm having my problems... It is simply a
Windows Server Core 2022 Active Directory Certificate Services server, and
I domain joined it, and made the Enterprise Administrator a local
Administrator. I installed ADCS by adding the Role, I did the post
installation wizard selecting Enterprise, Subordinate CA. I've been through
this a bunch of times, and could not get Windows to accept "
win.rxrhouse.net" as the CN as I had used
lin.rxrhkuse.net on
pdc.lin.rxrhouse.net... By "Not accept," I mean that Windows WOULD accept
it, finish the install, but then when I came back with a signed cert, it
would give nondescript errors about "The specified file could not be
found." SO, ultimately, I accepted it's default CN, added that default to
dc.rxrhouse.net as a Host Alias so that it would sign the CSR, installed
the cert back to Windows, Windows prompted for the root certificate, I
provided the one mentioned and attached above, which Windows accepted, but
with the warning that the CRL couldn't be found for verification. The
certificate server process didn't run, and when I tried running it
manually, I got the same warning about not being able to find / verify the
CRL. The Windows errors have really proven to be non-descript :/ Google
hasn't been a ton of help... Anyway, THAT cert is attached as
stb_win_rxrhouse_net-root.crt
Of course, there are more certs in the chain... Should I have given
Windows more of them? Should I not have jumped straight to #1, the root?
Should I have perhaps given the CA Agent cert first? Is there perhaps a
single cert file that has the entire chain in it?
If the error is honest, I just need to tell Windows the location of the
CRL... Windows doesn't have a "CRL Distribution Point (CDP)" configured...
But even I have my own doubts that it's a relevant data point.
On Sun, Mar 13, 2022, 23:44 Fraser Tweedale <ftweedal(a)redhat.com> wrote:
> On Fri, Mar 11, 2022 at 09:59:48PM -0800, Tyrell Jentink via
> FreeIPA-users wrote:
> > I am primarily a Linux admin, and this might be a Windows problem... In
> > fact, this might not even be the right forum for me to be asking this
> > question, but I don't know which Windows forum would give me the time of
> > day, so I'm here... I might also try some Windows Reddit groups... :p
> The
> > following domain names are obscured to protect the wicked; I know not to
> > use fake domains ;)
> >
> > I have an IPA server called dc.domain.local, an ActiveDirectory
> Directory
> > Server called pdc.win.domain.local, and a ActiveDirectory Certificate
> > Server called pki.win.domain.local. I am trying to configure the ADDS
> as a
> > subdomain of the IPA domain. I am using A and NS Records to delegate the
> > subdomain name. I am NOT attempting to create a interforest trust
> between
> > these two domains at this time (Although, as an aside, there will
> > eventually be another IPA server at
pdc.lin.rxrhouse.net for subdomain
> > lin.domain.local, and THAT one will have an interforest trust with
> >
win.rxrhouse.net; If IPA-IPA Trusts ever become a "thing", the top
> domain
> > will get trusts to both subdomains, but for now, pki.win.domain.local
> only
> > needs to 1) have a signed subordinate certificate from dc.domain.local,
> and
> > 2) run). As I have been able to get it, ADCS seems to be installed with
> a
> > signed cert, but it won't run.
> >
> > I installed ADCS as an Enterprise Subordinate CA; Based on
> >
>
https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html,
> I
> > added win.domain.local as a host principal on IPA. I used that
> principal to
> > sign the CSR, which worked fine. I installed that certificate back to
> AD.
> > AD prompted for the Root Certificate, which I provided, and AD warned
> that
> > it couldn't verify the chain of trust because it couldn't contact a
CRL.
> >
> Hi Tyrell,
>
> The blog post you linked is about the opposite thing you said you
> are trying to do. That post is about installing FreeIPA CA as a
> subordinate of an AD-CS CA. But you are talking about the opposite
> thing - AD-CS as a subordinate of IPA.
>
> I'd suggest to share the certificate itself, so we can inspect them
> and try to identify the problem. And sharing the exact steps on the
> IPA side that you used to create the certificate profile, create the
> CSR, and issue the certificate.
>
> Thanks,
> Fraser
>
> > But now ADCS won't start... Every time I try to start it, it complains,
> > again, that it can't reach a CRL.
> >
> > In Windows Server Manager, in Certificate Authority manager (CertSrv),
> > right click on the CA tree, under Properties... I see that all of the
> CRL
> > Distribution Points (CDPs) and AIAs are their default, non-configured
> > forms... It's my crude guess that I need to be pointing those values to
> > IPA? The example is of the form
> > http://
>
<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl,
> > if that hint prompts anyone's thinking...
> >
> > Even if you have a suggestion of another forum to ask this on, I'm all
> > ears. Thank you for your assistance!
> >
> > --
> > Tyrell Jentink
>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>
>