Thank you for your assistance!
:/ The suspicion is that my certs are wrong? As opposed to just telling
Windows where to find the CRL? Lame...
OK, let's investigate! I was neither good at obscuring my domain heiarchy,
nor did it end up mattering if I have to share my certs, so let's give up
on that.
At my network edge, my firewall is redirecting all outbound DNS traffic to
a DNS Forwarder at my edge network. I'm also pointing
dc.rxrhouse.net to
that edge DNS Forwarder directly. That edge DNS Forwarder is blocking
lookups to
rxrhouse.net, that way none of the lookups leak to public
resolvers and never get my public DNS records. I do own the domain. It's
just that IPA whined when it could find my public records without NS
delegations. I have no intention of any of this being on the public
internet...
I have an IPA server at
dc.rxrhouse.net, serving rxrhouse.net's DNS
internally, serveing DNS at that tier of the heiarchy, delegating
lin.rxrhouse.net and
win.rxrhouse.net as NS records and A records to
pdc.win.rxrhouse.net and
pdc.lin.rxrhouse.net.
dc.rxrhouse.net is the Root CA, dc.rxrhouse.net's root certificate
(Certificate #1 in IPAs Certificate Manager) is attached as
dc_rxrhouse_net-root.crt.
On
dc.rxrhouse.net, I created a SubCA profile. I got it's config from here:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
I also added
win.rxrhouse.net and
lin.rxrhouse.net as Host Principals, and
as noted below, added ADCS' default CN as a Host Alias to win.rxrhouse.net's
Host Principal.
Under that, I have a pdc.lin.rxrhouse.net... I installed that as a
Subordinate CA, and signed it's CSR with
dc.rxrhouse.net, and installed
that cert back to
pdx.lin.rxrhouse.net, and it seems to work fine... I
mean, it's running, it isn't giving any errors... I don't know how it is
relevant, but that cert is attached as pdc_lin_rxrhouse_net-root.crt
pdc.win.rxrhouse is a Windows Server (With GUI Features) 2022 Active
Directory Domain Services server. It has my users and Windows hosts
associated with it; Once certs are working, pdc.win.rxrhouse will be
Interforest Trusted with
pdc.lin.rxrhouse.net, so Linux hosts have Windows
users.
pdc.win.rxrhouse.net seems to work, doesn't give me any grief, but
it doesn't have a cert, cuz it gets it's cert from ADCS...
stb.win.rxrhouse.net is where I'm having my problems... It is simply a
Windows Server Core 2022 Active Directory Certificate Services server, and
I domain joined it, and made the Enterprise Administrator a local
Administrator. I installed ADCS by adding the Role, I did the post
installation wizard selecting Enterprise, Subordinate CA. I've been through
this a bunch of times, and could not get Windows to accept "win.rxrhouse.net"
as the CN as I had used
lin.rxrhkuse.net on pdc.lin.rxrhouse.net... By "Not
accept," I mean that Windows WOULD accept it, finish the install, but then
when I came back with a signed cert, it would give nondescript errors about
"The specified file could not be found." SO, ultimately, I accepted it's
default CN, added that default to
dc.rxrhouse.net as a Host Alias so that
it would sign the CSR, installed the cert back to Windows, Windows prompted
for the root certificate, I provided the one mentioned and attached above,
which Windows accepted, but with the warning that the CRL couldn't be found
for verification. The certificate server process didn't run, and when I
tried running it manually, I got the same warning about not being able to
find / verify the CRL. The Windows errors have really proven to be
non-descript :/ Google hasn't been a ton of help... Anyway, THAT cert is
attached as stb_win_rxrhouse_net-root.crt
Of course, there are more certs in the chain... Should I have given Windows
more of them? Should I not have jumped straight to #1, the root? Should I
have perhaps given the CA Agent cert first? Is there perhaps a single cert
file that has the entire chain in it?
If the error is honest, I just need to tell Windows the location of the
CRL... Windows doesn't have a "CRL Distribution Point (CDP)" configured...
But even I have my own doubts that it's a relevant data point.
On Sun, Mar 13, 2022, 23:44 Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Fri, Mar 11, 2022 at 09:59:48PM -0800, Tyrell Jentink via
FreeIPA-users
wrote:
> I am primarily a Linux admin, and this might be a Windows problem... In
> fact, this might not even be the right forum for me to be asking this
> question, but I don't know which Windows forum would give me the time of
> day, so I'm here... I might also try some Windows Reddit groups... :p The
> following domain names are obscured to protect the wicked; I know not to
> use fake domains ;)
>
> I have an IPA server called dc.domain.local, an ActiveDirectory Directory
> Server called pdc.win.domain.local, and a ActiveDirectory Certificate
> Server called pki.win.domain.local. I am trying to configure the ADDS
as a
> subdomain of the IPA domain. I am using A and NS Records to delegate the
> subdomain name. I am NOT attempting to create a interforest trust between
> these two domains at this time (Although, as an aside, there will
> eventually be another IPA server at
pdc.lin.rxrhouse.net for subdomain
> lin.domain.local, and THAT one will have an interforest trust with
>
win.rxrhouse.net; If IPA-IPA Trusts ever become a "thing", the top
domain
> will get trusts to both subdomains, but for now, pki.win.domain.local
only
> needs to 1) have a signed subordinate certificate from dc.domain.local,
and
> 2) run). As I have been able to get it, ADCS seems to be installed with a
> signed cert, but it won't run.
>
> I installed ADCS as an Enterprise Subordinate CA; Based on
>
https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html,
I
> added win.domain.local as a host principal on IPA. I used that principal
to
> sign the CSR, which worked fine. I installed that certificate back to AD.
> AD prompted for the Root Certificate, which I provided, and AD warned
that
> it couldn't verify the chain of trust because it couldn't contact a CRL.
>
Hi Tyrell,
The blog post you linked is about the opposite thing you said you
are trying to do. That post is about installing FreeIPA CA as a
subordinate of an AD-CS CA. But you are talking about the opposite
thing - AD-CS as a subordinate of IPA.
I'd suggest to share the certificate itself, so we can inspect them
and try to identify the problem. And sharing the exact steps on the
IPA side that you used to create the certificate profile, create the
CSR, and issue the certificate.
Thanks,
Fraser
> But now ADCS won't start... Every time I try to start it, it complains,
> again, that it can't reach a CRL.
>
> In Windows Server Manager, in Certificate Authority manager (CertSrv),
> right click on the CA tree, under Properties... I see that all of the CRL
> Distribution Points (CDPs) and AIAs are their default, non-configured
> forms... It's my crude guess that I need to be pointing those values to
> IPA? The example is of the form
> http://
<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl,
> if that hint prompts anyone's thinking...
>
> Even if you have a suggestion of another forum to ask this on, I'm all
> ears. Thank you for your assistance!
>
> --
> Tyrell Jentink
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure