Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ? I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt [root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
Regards Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
============================================================================= Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]#
====================================================
[root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]#
===========================================================
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 06 July 2023 20:55 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Here are the answers for the questions asked
1.You submitted a single CSR and got two certficates back? Yes, I have shared single CSR and got two certificates back.
2. What does "tomcat name" mean? Is it using a different key?
Here are the certificate details:
Received these two zip files
1. ipa.example.com_Apache.zip 2. ipa.example.com_TOMCAT.zip
[root@ Certificates]# tree . ├── Apache │ ├── 1f1f7ab616938168.crt │ ├── 1f1f7ab616938168.pem │ └── gd_bundle-g2-g1.crt └── Tomcat ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── gdig2.crt.pem
3. Do you intend on replacing the server certificate for the CA as well? If so, why?
NO
Regards Sai
-----Original Message----- From: Polavarapu Manideep Sai via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 06 July 2023 22:28 To: Rob Crittenden rcritten@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
============================================================================= Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]#
====================================================
[root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]#
===========================================================
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 06 July 2023 20:55 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai wrote:
Here are the answers for the questions asked
1.You submitted a single CSR and got two certficates back? Yes, I have shared single CSR and got two certificates back.
- What does "tomcat name" mean? Is it using a different key?
Here are the certificate details:
Received these two zip files
- ipa.example.com_Apache.zip
- ipa.example.com_TOMCAT.zip
[root@ Certificates]# tree . ├── Apache │ ├── 1f1f7ab616938168.crt │ ├── 1f1f7ab616938168.pem │ └── gd_bundle-g2-g1.crt └── Tomcat ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── gdig2.crt.pem
- Do you intend on replacing the server certificate for the CA as well? If so, why?
You have to first install the CA chain using ipa-cacert-manage install /path/to/file.
Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS.
Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad.
Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue.
rob
NO
Regards Sai
-----Original Message----- From: Polavarapu Manideep Sai via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 06 July 2023 22:28 To: Rob Crittenden rcritten@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
============================================================================= Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]#
====================================================
[root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]#
===========================================================
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 06 July 2023 20:55 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Hi Rob,
As mentioned in my previous response, here is the error upon executing ipa-cacert-manage install Please let me know if any other details required on this
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt Installing CA certificate, please wait (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be initialized, or has been removed. The ipa-cacert-manage command failed.
Regards ManidepSai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 07 July 2023 00:16 To: Polavarapu Manideep Sai manideep.sai@onmobile.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai wrote:
Here are the answers for the questions asked
1.You submitted a single CSR and got two certficates back? Yes, I have shared single CSR and got two certificates back.
- What does "tomcat name" mean? Is it using a different key?
Here are the certificate details:
Received these two zip files
- ipa.example.com_Apache.zip
- ipa.example.com_TOMCAT.zip
[root@ Certificates]# tree . ├── Apache │ ├── 1f1f7ab616938168.crt │ ├── 1f1f7ab616938168.pem │ └── gd_bundle-g2-g1.crt └── Tomcat ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── gdig2.crt.pem
- Do you intend on replacing the server certificate for the CA as well? If so, why?
You have to first install the CA chain using ipa-cacert-manage install /path/to/file.
Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS.
Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad.
Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue.
rob
NO
Regards Sai
-----Original Message----- From: Polavarapu Manideep Sai via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 06 July 2023 22:28 To: Rob Crittenden rcritten@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
====================================================================== ======= Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]#
====================================================
[root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]#
===========================================================
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 06 July 2023 20:55 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Hi,
On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Rob,
As mentioned in my previous response, here is the error upon executing ipa-cacert-manage install Please let me know if any other details required on this
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
When you received the certs from the external CA authority, you received multiple files. I'm guessing that 1f1f7ab616938168.crt contains your server certificate and that's the file you will provide to the ipa-server-certinstall command. There is another file, gd_bundle-g2-g1.crt, which probably contains the external CA chain. This is the file you need to provide to ipa-cacert-manage install tool. Please don't forget to specify the trust flags for this command: ipa-cacert-manage install -t CT,C,C <CA cert> Also note, if the crt file contains multiple certificates, you will have to separate them and install them one by one with ipa-cacert-manage.
Hope this helps, flo
[root@ Apache]#
[root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt Installing CA certificate, please wait (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be initialized, or has been removed. The ipa-cacert-manage command failed.
Regards ManidepSai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 07 July 2023 00:16 To: Polavarapu Manideep Sai manideep.sai@onmobile.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai wrote:
Here are the answers for the questions asked
1.You submitted a single CSR and got two certficates back? Yes, I have shared single CSR and got two certificates back.
- What does "tomcat name" mean? Is it using a different key?
Here are the certificate details:
Received these two zip files
- ipa.example.com_Apache.zip
- ipa.example.com_TOMCAT.zip
[root@ Certificates]# tree . ├── Apache │ ├── 1f1f7ab616938168.crt │ ├── 1f1f7ab616938168.pem │ └── gd_bundle-g2-g1.crt └── Tomcat ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── gdig2.crt.pem
- Do you intend on replacing the server certificate for the CA as well?
If so, why?
You have to first install the CA chain using ipa-cacert-manage install /path/to/file.
Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS.
Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad.
Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue.
rob
NO
Regards Sai
-----Original Message----- From: Polavarapu Manideep Sai via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 06 July 2023 22:28 To: Rob Crittenden rcritten@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please
exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key
gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.
====================================================================== ======= Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem
Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
[root@ Apache]#
====================================================
[root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]#
===========================================================
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 06 July 2023 20:55 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please
exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a
single CSR and got two certficates back? What does "tomcat name" mean?
Is it using a different key? Do you intend on replacing the server
certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
DISCLAIMER: The information in this message is confidential and may be
legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be
legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Florence,
As per your suggestion, I have done the same
This crt gd_bundle-g2-g1.crt having multiple certificates i.e. 3 certificates[ 1st.crt, 2nd.crt and 3rd.crt] , installed using below commands and also executed
ipa-cacert-manage install -t CT,C,C 1st.crt [ It was failed ] ipa-cacert-manage install -t CT,C,C 2nd.crt [ it was successful] ipa-cacert-manage install -t CT,C,C 3rd.crt [ it was successful] ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt [it was successful]
I executed this, and certificates got installed into /etc/httpd/alias/ , /etc/dirsrv/slapd-IPA-DOMAIN-COM and /etc/pki/pki-tomcat/alias/ databases as shown below
Can you see the error during the ipa-certupdate , /usr/bin/certutil commands returned non zero codes
[root@central ~]# [root@central ~]# ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful [root@central ~]# [root@central ~]#
[root@central ~]# [root@central ~]# [root@central ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C Server-Cert u,u,u IPA.DOMAIN.COM IPA CA CT,C,C CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C [root@central ~]# [root@central ~]#
[root@central ~]# [root@central ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-COM
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C IPA.DOMAIN.COM IPA CA CT,C,C CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C [root@central ~]# [root@central ~]#
[root@central ~]# ipa-certupdate
trying https://central.ipa.DOMAIN.com/ipa/json [try 1]: Forwarding 'ca_is_enabled' to json server 'https://central.ipa.DOMAIN.com/ipa/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://central.ipa.DOMAIN.com/ipa/json' failed to update Server-Cert in /etc/dirsrv/slapd-IPA-DOMAIN-COM: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-DOMAIN-COM -A -n Server-Cert -t C,, -f /etc/dirsrv/slapd-IPA-DOMAIN-COM/pwdfile.txt' returned non-zero exit status 255 failed to update Server-Cert in /etc/httpd/alias: Command '/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t C,, -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful
Regards Sai
From: Florence Blanc-Renaud flo@redhat.com Sent: 07 July 2023 11:19 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com; Polavarapu Manideep Sai manideep.sai@onmobile.com Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: Hi Rob,
As mentioned in my previous response, here is the error upon executing ipa-cacert-manage install Please let me know if any other details required on this
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
When you received the certs from the external CA authority, you received multiple files. I'm guessing that 1f1f7ab616938168.crt contains your server certificate and that's the file you will provide to the ipa-server-certinstall command. There is another file, gd_bundle-g2-g1.crt, which probably contains the external CA chain. This is the file you need to provide to ipa-cacert-manage install tool. Please don't forget to specify the trust flags for this command: ipa-cacert-manage install -t CT,C,C <CA cert> Also note, if the crt file contains multiple certificates, you will have to separate them and install them one by one with ipa-cacert-manage.
Hope this helps, flo
[root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt Installing CA certificate, please wait (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be initialized, or has been removed. The ipa-cacert-manage command failed.
Regards ManidepSai
-----Original Message----- From: Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> Sent: 07 July 2023 00:16 To: Polavarapu Manideep Sai <manideep.sai@onmobile.commailto:manideep.sai@onmobile.com>; FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai wrote:
Here are the answers for the questions asked
1.You submitted a single CSR and got two certficates back? Yes, I have shared single CSR and got two certificates back.
- What does "tomcat name" mean? Is it using a different key?
Here are the certificate details:
Received these two zip files
- ipa.example.com_Apache.zip
- ipa.example.com_TOMCAT.zip
[root@ Certificates]# tree . ├── Apache │ ├── 1f1f7ab616938168.crt │ ├── 1f1f7ab616938168.pem │ └── gd_bundle-g2-g1.crt └── Tomcat ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── gdig2.crt.pem
- Do you intend on replacing the server certificate for the CA as well? If so, why?
You have to first install the CA chain using ipa-cacert-manage install /path/to/file.
Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS.
Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad.
Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue.
rob
NO
Regards Sai
-----Original Message----- From: Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Sent: 06 July 2023 22:28 To: Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com>; FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.commailto:manideep.sai@onmobile.com> Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
====================================================================== ======= Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]#
====================================================
[root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COMhttp://IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u IPA.EXAMPLE.COMhttp://IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]#
===========================================================
Regards Sai
-----Original Message----- From: Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> Sent: 06 July 2023 20:55 To: FreeIPA users list <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.commailto:manideep.sai@onmobile.com> Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
I have generated central.csr and central.key in my ipa server and shared this central.csr to third-party certificate authority and i got certificates from certificate authority with two directories one as apache directory and it's certificates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory with tomcat name and its certficates are 1f1f7ab616938168.crt, 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i want to install these certficates in my ipa server can you please guide on the same ?
The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why?
I tried this, but getting the below error, can you please share the steps to install this SSL certficates
[root@ Apache]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
[root@Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt
Directory Manager password:
Enter private key unlock password:
No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem
rob
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.orghttp://ahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai wrote:
Hi Florence,
As per your suggestion, I have done the same
This crt gd_bundle-g2-g1.crt having multiple certificates i.e. 3 certificates[ 1^st .crt, 2^nd .crt and 3^rd .crt] , installed using below commands and also executed
ipa-cacert-manage install -t CT,C,C 1st.crt [ It was failed ]
ipa-cacert-manage install -t CT,C,C 2nd.crt [ it was successful]
ipa-cacert-manage install -t CT,C,C 3rd.crt [ it was successful]
ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt [it was successful]
I executed this, and certificates got installed into /etc/httpd/alias/ , /etc/dirsrv/slapd-IPA-DOMAIN-COM and /etc/pki/pki-tomcat/alias/ databases as shown below
Can you see the error during the ipa-certupdate , /usr/bin/certutil commands returned non zero codes
[root@central ~]#
[root@central ~]# ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
Server-Cert u,u,u
IPA.DOMAIN.COM IPA CA CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
IPA.DOMAIN.COM IPA CA CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
[root@central ~]#
[root@central ~]#
[root@central ~]# ipa-certupdate
trying https://central.ipa.DOMAIN.com/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://central.ipa.DOMAIN.com/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://central.ipa.DOMAIN.com/ipa/json'
failed to update Server-Cert in /etc/dirsrv/slapd-IPA-DOMAIN-COM: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-DOMAIN-COM -A -n Server-Cert -t C,, -f /etc/dirsrv/slapd-IPA-DOMAIN-COM/pwdfile.txt' returned non-zero exit status 255
failed to update Server-Cert in /etc/httpd/alias: Command '/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t C,, -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
You apparently added the cert/nickname Server-Cert as a CA certificate with ipa-cacert-manage which is conflicting with the real server certificate during ipa-certupdate.
What version of IPA do you have? If it's reasonably up-to-date you can see what you have installed using: ipa-cacert-manage list.
rob
Regards
Sai
*From:*Florence Blanc-Renaud flo@redhat.com *Sent:* 07 July 2023 11:19 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Rob Crittenden rcritten@redhat.com; Polavarapu Manideep Sai manideep.sai@onmobile.com *Subject:* Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
*CAUTION.*This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi Rob, As mentioned in my previous response, here is the error upon executing ipa-cacert-manage install Please let me know if any other details required on this [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
When you received the certs from the external CA authority, you received multiple files. I'm guessing that 1f1f7ab616938168.crt contains your server certificate and that's the file you will provide to the ipa-server-certinstall command.
There is another file, gd_bundle-g2-g1.crt, which probably contains the external CA chain. This is the file you need to provide to ipa-cacert-manage install tool. Please don't forget to specify the trust flags for this command:
ipa-cacert-manage install -t CT,C,C <CA cert>
Also note, if the crt file contains multiple certificates, you will have to separate them and install them one by one with ipa-cacert-manage.
Hope this helps,
flo
[root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt Installing CA certificate, please wait (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be initialized, or has been removed. The ipa-cacert-manage command failed. Regards ManidepSai -----Original Message----- From: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> Sent: 07 July 2023 00:16 To: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>>; FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai wrote: > Here are the answers for the questions asked > > > 1.You submitted a single CSR and got two certficates back? > Yes, I have shared single CSR and got two certificates back. > > 2. What does "tomcat name" mean? Is it using a different key? > > Here are the certificate details: > > Received these two zip files > > 1. ipa.example.com_Apache.zip > 2. ipa.example.com_TOMCAT.zip > > [root@ Certificates]# tree > . > ├── Apache > │ ├── 1f1f7ab616938168.crt > │ ├── 1f1f7ab616938168.pem > │ └── gd_bundle-g2-g1.crt > └── Tomcat > ├── 1f1f7ab616938168.crt > ├── 1f1f7ab616938168.pem > ├── gd_bundle-g2-g1.crt > └── gdig2.crt.pem > > > 3. Do you intend on replacing the server certificate for the CA as well? If so, why? You have to first install the CA chain using ipa-cacert-manage install /path/to/file. Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad. Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue. rob > > NO > > Regards > Sai > > > > -----Original Message----- > From: Polavarapu Manideep Sai via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Sent: 06 July 2023 22:28 > To: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>>; FreeIPA users list > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>> > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Hi Rob, > > Thanks for the reply, Here are the errors up on including .pem , > please let us know if more details required on this > > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: > > Enter private key unlock password: > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. > The ipa-server-certinstall command failed. > > ====================================================================== > ======= Tried to run ipa-cacert-manage install > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. > [root@ Apache]# > > ==================================================== > > > [root@ Apache]# > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA CT,C,C > [root@ Apache]# > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA CT,C,C > [root@ Apache]# > > =========================================================== > > > > Regards > Sai > > -----Original Message----- > From: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> > Sent: 06 July 2023 20:55 > To: FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>> > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: >> Hi Team, >> >> >> >> I have generated central.csr and central.key in my ipa server and >> shared this central.csr to third-party certificate authority and i >> got certificates from certificate authority with two directories one >> as apache directory and it's certificates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory >> with tomcat name and its certficates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i >> want to install these certficates in my ipa server can you please >> guide on the same ? > > The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? > Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why? > >> >> I tried this, but getting the below error, can you please share the >> steps to install this SSL certficates >> >> >> >> [root@ Apache]# ipa --version >> >> VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt >> >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key >> gd_bundle-g2-g1.crt >> >> Directory Manager password: >> >> >> >> Enter private key unlock password: >> >> >> >> No matching certificate found for private key from central.key > > You didn't include the server certificate file you got, ex. > 1f1f7ab616938168.pem > > rob > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor > ahosted.org <http://ahosted.org> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Hi Rob,
I am using VERSION: 4.5.0, API_VERSION: 2.228, so couldn't possible to use ipa-cacert-manage list
Please let me know if more details required on this
Regards Sai
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 07 July 2023 21:26 To: Polavarapu Manideep Sai manideep.sai@onmobile.com; Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai wrote:
Hi Florence,
As per your suggestion, I have done the same
This crt gd_bundle-g2-g1.crt having multiple certificates i.e. 3 certificates[ 1^st .crt, 2^nd .crt and 3^rd .crt] , installed using below commands and also executed
ipa-cacert-manage install -t CT,C,C 1st.crt [ It was failed ]
ipa-cacert-manage install -t CT,C,C 2nd.crt [ it was successful]
ipa-cacert-manage install -t CT,C,C 3rd.crt [ it was successful]
ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt [it was successful]
I executed this, and certificates got installed into /etc/httpd/alias/ , /etc/dirsrv/slapd-IPA-DOMAIN-COM and /etc/pki/pki-tomcat/alias/ databases as shown below
Can you see the error during the ipa-certupdate , /usr/bin/certutil commands returned non zero codes
[root@central ~]#
[root@central ~]# ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
Server-Cert u,u,u
IPA.DOMAIN.COM IPA CA CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
IPA.DOMAIN.COM IPA CA CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
[root@central ~]#
[root@central ~]#
[root@central ~]# ipa-certupdate
trying https://central.ipa.DOMAIN.com/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://central.ipa.DOMAIN.com/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://central.ipa.DOMAIN.com/ipa/json'
failed to update Server-Cert in /etc/dirsrv/slapd-IPA-DOMAIN-COM: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-DOMAIN-COM -A -n Server-Cert -t C,, -f /etc/dirsrv/slapd-IPA-DOMAIN-COM/pwdfile.txt' returned non-zero exit status 255
failed to update Server-Cert in /etc/httpd/alias: Command '/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t C,, -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
You apparently added the cert/nickname Server-Cert as a CA certificate with ipa-cacert-manage which is conflicting with the real server certificate during ipa-certupdate.
What version of IPA do you have? If it's reasonably up-to-date you can see what you have installed using: ipa-cacert-manage list.
rob
Regards
Sai
*From:*Florence Blanc-Renaud flo@redhat.com *Sent:* 07 July 2023 11:19 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Rob Crittenden rcritten@redhat.com; Polavarapu Manideep Sai manideep.sai@onmobile.com *Subject:* Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
*CAUTION.*This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi Rob, As mentioned in my previous response, here is the error upon executing ipa-cacert-manage install Please let me know if any other details required on this [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
When you received the certs from the external CA authority, you received multiple files. I'm guessing that 1f1f7ab616938168.crt contains your server certificate and that's the file you will provide to the ipa-server-certinstall command.
There is another file, gd_bundle-g2-g1.crt, which probably contains the external CA chain. This is the file you need to provide to ipa-cacert-manage install tool. Please don't forget to specify the trust flags for this command:
ipa-cacert-manage install -t CT,C,C <CA cert>
Also note, if the crt file contains multiple certificates, you will have to separate them and install them one by one with ipa-cacert-manage.
Hope this helps,
flo
[root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt Installing CA certificate, please wait (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be initialized, or has been removed. The ipa-cacert-manage command failed. Regards ManidepSai -----Original Message----- From: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> Sent: 07 July 2023 00:16 To: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>>; FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai wrote: > Here are the answers for the questions asked > > > 1.You submitted a single CSR and got two certficates back? > Yes, I have shared single CSR and got two certificates back. > > 2. What does "tomcat name" mean? Is it using a different key? > > Here are the certificate details: > > Received these two zip files > > 1. ipa.example.com_Apache.zip > 2. ipa.example.com_TOMCAT.zip > > [root@ Certificates]# tree > . > ├── Apache > │ ├── 1f1f7ab616938168.crt > │ ├── 1f1f7ab616938168.pem > │ └── gd_bundle-g2-g1.crt > └── Tomcat > ├── 1f1f7ab616938168.crt > ├── 1f1f7ab616938168.pem > ├── gd_bundle-g2-g1.crt > └── gdig2.crt.pem > > > 3. Do you intend on replacing the server certificate for the CA as well? If so, why? You have to first install the CA chain using ipa-cacert-manage install /path/to/file. Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad. Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue. rob > > NO > > Regards > Sai > > > > -----Original Message----- > From: Polavarapu Manideep Sai via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Sent: 06 July 2023 22:28 > To: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>>; FreeIPA users list > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>> > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Hi Rob, > > Thanks for the reply, Here are the errors up on including .pem , > please let us know if more details required on this > > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: > > Enter private key unlock password: > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. > The ipa-server-certinstall command failed. > > ====================================================================== > ======= Tried to run ipa-cacert-manage install > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. > [root@ Apache]# > > ==================================================== > > > [root@ Apache]# > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA CT,C,C > [root@ Apache]# > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA CT,C,C > [root@ Apache]# > > =========================================================== > > > > Regards > Sai > > -----Original Message----- > From: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> > Sent: 06 July 2023 20:55 > To: FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>> > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: >> Hi Team, >> >> >> >> I have generated central.csr and central.key in my ipa server and >> shared this central.csr to third-party certificate authority and i >> got certificates from certificate authority with two directories one >> as apache directory and it's certificates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory >> with tomcat name and its certficates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i >> want to install these certficates in my ipa server can you please >> guide on the same ? > > The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? > Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why? > >> >> I tried this, but getting the below error, can you please share the >> steps to install this SSL certficates >> >> >> >> [root@ Apache]# ipa --version >> >> VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt >> >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key >> gd_bundle-g2-g1.crt >> >> Directory Manager password: >> >> >> >> Enter private key unlock password: >> >> >> >> No matching certificate found for private key from central.key > > You didn't include the server certificate file you got, ex. > 1f1f7ab616938168.pem > > rob > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor > ahosted.org <http://ahosted.org> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
Polavarapu Manideep Sai wrote:
Hi Rob,
I am using VERSION: 4.5.0, API_VERSION: 2.228, so couldn't possible to use ipa-cacert-manage list
Please let me know if more details required on this
You'll need to try removing it manually using ldapdelete. The entries are stored in cn=certificates,cn=ipa,cn=etc,$SUFFIX.
$ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=test ... cn: EXAMPLE.TEST IPA CA ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.TEST ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.TEST;1 ...
These attributes should help you identify the right entry to remove.
rob
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: 07 July 2023 21:26 To: Polavarapu Manideep Sai manideep.sai@onmobile.com; Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai wrote:
Hi Florence,
As per your suggestion, I have done the same
This crt gd_bundle-g2-g1.crt having multiple certificates i.e. 3 certificates[ 1^st .crt, 2^nd .crt and 3^rd .crt] , installed using below commands and also executed
ipa-cacert-manage install -t CT,C,C 1st.crt [ It was failed ]
ipa-cacert-manage install -t CT,C,C 2nd.crt [ it was successful]
ipa-cacert-manage install -t CT,C,C 3rd.crt [ it was successful]
ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt [it was successful]
I executed this, and certificates got installed into /etc/httpd/alias/ , /etc/dirsrv/slapd-IPA-DOMAIN-COM and /etc/pki/pki-tomcat/alias/ databases as shown below
Can you see the error during the ipa-certupdate , /usr/bin/certutil commands returned non zero codes
[root@central ~]#
[root@central ~]# ipa-cacert-manage -p XXXX Server-Cert -t C,, install /home/omadmin/Certificates/Apache/gd_bundle-g2-g1.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
Server-Cert u,u,u
IPA.DOMAIN.COM IPA CA CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
[root@central ~]#
[root@central ~]#
[root@central ~]#
[root@central ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US CT,C,C
IPA.DOMAIN.COM IPA CA CT,C,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C
[root@central ~]#
[root@central ~]#
[root@central ~]# ipa-certupdate
trying https://central.ipa.DOMAIN.com/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://central.ipa.DOMAIN.com/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://central.ipa.DOMAIN.com/ipa/json'
failed to update Server-Cert in /etc/dirsrv/slapd-IPA-DOMAIN-COM: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-DOMAIN-COM -A -n Server-Cert -t C,, -f /etc/dirsrv/slapd-IPA-DOMAIN-COM/pwdfile.txt' returned non-zero exit status 255
failed to update Server-Cert in /etc/httpd/alias: Command '/usr/bin/certutil -d /etc/httpd/alias -A -n Server-Cert -t C,, -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
You apparently added the cert/nickname Server-Cert as a CA certificate with ipa-cacert-manage which is conflicting with the real server certificate during ipa-certupdate.
What version of IPA do you have? If it's reasonably up-to-date you can see what you have installed using: ipa-cacert-manage list.
rob
Regards
Sai
*From:*Florence Blanc-Renaud flo@redhat.com *Sent:* 07 July 2023 11:19 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Rob Crittenden rcritten@redhat.com; Polavarapu Manideep Sai manideep.sai@onmobile.com *Subject:* Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP
*CAUTION.*This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders.
Hi,
On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi Rob, As mentioned in my previous response, here is the error upon executing ipa-cacert-manage install Please let me know if any other details required on this [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
When you received the certs from the external CA authority, you received multiple files. I'm guessing that 1f1f7ab616938168.crt contains your server certificate and that's the file you will provide to the ipa-server-certinstall command.
There is another file, gd_bundle-g2-g1.crt, which probably contains the external CA chain. This is the file you need to provide to ipa-cacert-manage install tool. Please don't forget to specify the trust flags for this command:
ipa-cacert-manage install -t CT,C,C <CA cert>
Also note, if the crt file contains multiple certificates, you will have to separate them and install them one by one with ipa-cacert-manage.
Hope this helps,
flo
[root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# [root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt Installing CA certificate, please wait (SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be initialized, or has been removed. The ipa-cacert-manage command failed. Regards ManidepSai -----Original Message----- From: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> Sent: 07 July 2023 00:16 To: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>>; FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai wrote: > Here are the answers for the questions asked > > > 1.You submitted a single CSR and got two certficates back? > Yes, I have shared single CSR and got two certificates back. > > 2. What does "tomcat name" mean? Is it using a different key? > > Here are the certificate details: > > Received these two zip files > > 1. ipa.example.com_Apache.zip > 2. ipa.example.com_TOMCAT.zip > > [root@ Certificates]# tree > . > ├── Apache > │ ├── 1f1f7ab616938168.crt > │ ├── 1f1f7ab616938168.pem > │ └── gd_bundle-g2-g1.crt > └── Tomcat > ├── 1f1f7ab616938168.crt > ├── 1f1f7ab616938168.pem > ├── gd_bundle-g2-g1.crt > └── gdig2.crt.pem > > > 3. Do you intend on replacing the server certificate for the CA as well? If so, why? You have to first install the CA chain using ipa-cacert-manage install /path/to/file. Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad. Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue. rob > > NO > > Regards > Sai > > > > -----Original Message----- > From: Polavarapu Manideep Sai via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Sent: 06 July 2023 22:28 > To: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>>; FreeIPA users list > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>> > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Hi Rob, > > Thanks for the reply, Here are the errors up on including .pem , > please let us know if more details required on this > > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: > > Enter private key unlock password: > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. > The ipa-server-certinstall command failed. > > ====================================================================== > ======= Tried to run ipa-cacert-manage install > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. > [root@ Apache]# > > ==================================================== > > > [root@ Apache]# > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA CT,C,C > [root@ Apache]# > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM <http://IPA.EXAMPLE.COM> IPA CA CT,C,C > [root@ Apache]# > > =========================================================== > > > > Regards > Sai > > -----Original Message----- > From: Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> > Sent: 06 July 2023 20:55 > To: FreeIPA users list <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com <mailto:manideep.sai@onmobile.com>> > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates > for HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: >> Hi Team, >> >> >> >> I have generated central.csr and central.key in my ipa server and >> shared this central.csr to third-party certificate authority and i >> got certificates from certificate authority with two directories one >> as apache directory and it's certificates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory >> with tomcat name and its certficates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i >> want to install these certficates in my ipa server can you please >> guide on the same ? > > The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? > Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why? > >> >> I tried this, but getting the below error, can you please share the >> steps to install this SSL certficates >> >> >> >> [root@ Apache]# ipa --version >> >> VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt >> >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key >> gd_bundle-g2-g1.crt >> >> Directory Manager password: >> >> >> >> Enter private key unlock password: >> >> >> >> No matching certificate found for private key from central.key > > You didn't include the server certificate file you got, ex. > 1f1f7ab616938168.pem > > rob > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor > ahosted.org <http://ahosted.org> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.
freeipa-users@lists.fedorahosted.org