Hello,
I have configured and installed freeipa, but I have some issues trying to add the certificates to freeipa configuration to get https correctly setup.
I have my own .key .crt and an additional .crt certificates as follows the use of wildcard certificates. Following this guide, it didn't help as in my case I do use 3 files related with the certificate configuration.
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
ipa-server-certinstall -w -d mysite.key mysite.crt (But I use 3 files, also running the command asks for a passphrase key, but my certs don't have any passphrase key associated. How I did it in the past was to add the route of those files in the virtualhost section of the config file for the web service, but in this case I am not 100% sure which procedures we have apart of the command above that may not work for my case.
I would really appreciate your thoughts on this. Thank you so much,
Note: The operative system in this case is CentOS 7.
Thank you,
G Col via FreeIPA-users wrote:
Hello,
I have configured and installed freeipa, but I have some issues trying to add the certificates to freeipa configuration to get https correctly setup.
I have my own .key .crt and an additional .crt certificates as follows the use of wildcard certificates. Following this guide, it didn't help as in my case I do use 3 files related with the certificate configuration.
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
ipa-server-certinstall -w -d mysite.key mysite.crt (But I use 3 files, also running the command asks for a passphrase key, but my certs don't have any passphrase key associated. How I did it in the past was to add the route of those files in the virtualhost section of the config file for the web service, but in this case I am not 100% sure which procedures we have apart of the command above that may not work for my case.
I would really appreciate your thoughts on this.
Using the IPA tools is the preferred method as it will ensure things are setup properly.
You don't need to provide a passphrase if there isn't one. Pass --pin=''.
Otherwise we need to see whatever output is being generated and the exact command-line you're using.
rob
Hello rob,
Thank you for your help. The command I try to run is ipa-server-certinstall -w -d mysite.key mysite.crt
but as it is a wildcard certificate, it has also associated a third file .crt
So when I run that command, it asks for a passphrase, but certs and key don't have any passphrase associated. What could I do? What this line means " Pass --pin=''. "
Thx u ;) guille
Hi Guille,
The meaning of "Pass --pin-" means: pass along the argument --pin and set it to an empty value (because --pin= does exactly that, it says "pin equals to nothing"). In your case this might look like:
ipa-server-certinstall -w -d --pin= mysite.key mysite.crt
Or, if the command allows it, you could position it elsewhere, i.e. at the beginning:
ipa-server-certinstall --pin= -w -d mysite.key mysite.crt
If you want to know for sure what the command supports, you can generally use the help commands to find out, or use the manual, accessible via the man command:
man ipa-server-certinstall
If you have multiple files you can generally combine them. Wildcard certificates are the same as normal certificates, so they don't come with 'extra files' just because their are wildcard. It is possible that you have three files:
1. The private key 2. The actual certificate 3. An intermediate certificate chain
If that is the case you can often simply combine the certificate and the intermediate certificate(s) into a single file. This is not specific for FreeIPA and resources on PKI and intermediate certificates are readily available online. There are cases where the intermediate certificates are not required if they are available in major operating systems by default already.
John
On 24 Apr 2021, at 14:21, G Col via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello rob,
Thank you for your help. The command I try to run is ipa-server-certinstall -w -d mysite.key mysite.crt
but as it is a wildcard certificate, it has also associated a third file .crt
So when I run that command, it asks for a passphrase, but certs and key don't have any passphrase associated. What could I do? What this line means " Pass --pin=''. "
Thx u ;) guille _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hello John,
Thank you for your comments. They are really helpful.
[root@freeipa certs]# ipa-server-certinstall -w -d --pin= name.key name.crt Directory Manager Password: "I introduce it"
I tried those, but I get the following message: The full certificate chain is not present in name.key, name.crt The ipa-server-certinstall command failed.
Is it because this has to be run first?
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt # ipa-certupdate
NICKNAME not sure what it is.
I am not sure why it still fails. I have combined the main cer with the intermediate certificate in just one file too.
Thank you for your comments Guille
El sáb, 24 abr 2021 a las 14:14, John Keates (john@keates.nl) escribió:
Hi Guille,
The meaning of "Pass --pin-" means: pass along the argument --pin and set it to an empty value (because --pin= does exactly that, it says "pin equals to nothing"). In your case this might look like:
ipa-server-certinstall -w -d --pin= mysite.key mysite.crt
Or, if the command allows it, you could position it elsewhere, i.e. at the beginning:
ipa-server-certinstall --pin= -w -d mysite.key mysite.crt
If you want to know for sure what the command supports, you can generally use the help commands to find out, or use the manual, accessible via the man command:
man ipa-server-certinstall
If you have multiple files you can generally combine them. Wildcard certificates are the same as normal certificates, so they don't come with 'extra files' just because their are wildcard. It is possible that you have three files:
- The private key
- The actual certificate
- An intermediate certificate chain
If that is the case you can often simply combine the certificate and the intermediate certificate(s) into a single file. This is not specific for FreeIPA and resources on PKI and intermediate certificates are readily available online. There are cases where the intermediate certificates are not required if they are available in major operating systems by default already.
John
On 24 Apr 2021, at 14:21, G Col via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hello rob,
Thank you for your help. The command I try to run is
ipa-server-certinstall -w -d mysite.key mysite.crt
but as it is a wildcard certificate, it has also associated a third file
.crt
So when I run that command, it asks for a passphrase, but certs and key
don't have any passphrase associated. What could I do?
What this line means " Pass --pin=''. "
Thx u ;) guille _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
I think another issue I get is the following one: Possibly some kerberos configuration is needed before configuring the certificates?
[root@freeipa certs]# ipa-certupdate trying https://****domain****.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://****domain*****.com/ipa/json' did not receive Kerberos credentials The ipa-certupdate command failed.
Thank you, Guille
I was able to solve that issue using kinit admin, but now I get this:
ipa-server-certinstall -w -d --pin= name.key name.crt Directory Manager password:
Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -D -n Server-Cert -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 The ipa-server-certinstall command failed.
It just asks Directory Manager pass and then fails after being waiting for 1 minute approx.
Any possible idea?
Thank you for your help :)
G Col via FreeIPA-users wrote:
I was able to solve that issue using kinit admin, but now I get this:
ipa-server-certinstall -w -d --pin= name.key name.crt Directory Manager password:
Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -D -n Server-Cert -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 The ipa-server-certinstall command failed.
It just asks Directory Manager pass and then fails after being waiting for 1 minute approx.
Any possible idea?
If you pass -v to the command you'll get a lot more output and be able to tell more what it's doing. You probably need to redirect to a file as it'll be much more than a screenful.
It looks like it is trying to remove a reference to the default IPA certificate nickname in the Apache httpd database and that certificate is not there.
It determines the name of the certificate to remove by using the NSSNickname directive from nss.conf. To see what that is run:
# grep NSSNick /etc/httpd/conf.d/nss.conf
To see if a cert with that name exists run:
# certutil -L -d /etc/httpd/alias -n <whatever that nickname is>
I'm guessing it doesn't exist. It doesn't look like this condition is handled in the code.
rob
Hello Rob,
Thank you for your comment the -v option is very useful! I give a more clues about what is happening during the execution:
I got the following messages after running:
ipa-server-certinstall -w -d --pin= name.key name.crt
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/tmp/tmpRcYnFD -V -n CN=*.name.com,O=name Ltd,L=city,C=country -u V -f /tmp/tmpRcYnFD/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid
ipapython.ipautil: DEBUG: stderr= ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.237') ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.237') ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -D -n Server-Cert -f /etc/httpd/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: could not find certificate named "Server-Cert": SEC_ERROR_BAD_DATABASE: security library: bad database.
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 121, in run self.install_http_cert() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 163, in install_http_cert 'restart_httpd') File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 284, in import_cert cdb.delete_cert(old_cert) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 470, in delete_cert self.nssdb.delete_cert(nickname) File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 794, in delete_cert self.run_certutil(["-D", "-n", nick]) File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 281, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run raise CalledProcessError(p.returncode, arg_string, str(output))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -D -n Server-Cert -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 ipapython.admintool: ERROR: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -D -n Server-Cert -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
What is best as a next step?
Thank you for your help
Hello,
I have run that command and I get the following message. The file doesn't exist.
certutil -L -d /etc/httpd/alias -n Server-Cert certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
Not sure what to do next.
Also is here where I can find the passphrase?
cat /etc/ipa/nssdb/pwdfile.txt
Thank you for your help,
gcol
G Col via FreeIPA-users wrote:
Hello,
I have run that command and I get the following message. The file doesn't exist.
certutil -L -d /etc/httpd/alias -n Server-Cert certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
Not sure what to do next.
Can you show us what certs are in there now?
# certutil -L -d /etc/httpd/alias
Also is here where I can find the passphrase?
cat /etc/ipa/nssdb/pwdfile.txt
/etc/httpd/alias/pwdfile.txt
rob
Hi Rob,
I provide more information to the case:
[root@freeipa openldap]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
COMPANY.COM IPA CA CT,C,C company u,u,u CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US C,, DigiCert SHA2 Secure Server CA - DigiCert Inc C,,
Does this help?
If our Wildcard doesn't work can I use letsencrypthis as alternative for the https access?
Thank you for your help,
G Col via FreeIPA-users wrote:
Hi Rob,
I provide more information to the case:
[root@freeipa openldap]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
COMPANY.COM IPA CA CT,C,C company u,u,u CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US C,, DigiCert SHA2 Secure Server CA - DigiCert Inc C,,
Does this help?
If our Wildcard doesn't work can I use letsencrypthis as alternative for the https access?
So in a different thread you got this working. The reason it was failing is because the certificate configured in mod_nss wasn't in the NSS database. So Apache wouldn't have started either.
rob
Hi Rob,
I made it working importing the pem file cert to my browser from freipa UI, but this is just a workaround and it will just help for my browser. How would I make it working with a certificate modifying the NSS database?
Thank you for your help
G Col via FreeIPA-users wrote:
Hi Rob,
I made it working importing the pem file cert to my browser from freipa UI, but this is just a workaround and it will just help for my browser. How would I make it working with a certificate modifying the NSS database?
So your mod_nss configuration has the certificate as Server-Cert.
ipa-server-certinstall uses this value to remove the existing certificate from the NSS before installing the replacement.
Since a certificate named Server-Cert is not present it gives up.
So you can either install some random certificate with the nickname Server-Cert so it can be removed by ipa-server-certinstall or correct the value of NSSNickname in /etc/httpd/conf.d/nss.conf (preferred).
rob
Hi Rob,
Thank you for your answer.
About replacing the nickname in nss.conf what would be my value?
[root@freeipa openldap]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
- Would be Server-Cert the value? I think this is the one that cannot find, but what is the one that appears in my certutil command?
- I cannot see a nickname here.
This is my current nss.conf at the moment commented:
#NSSNickname Server-Cert
# SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc
# Server Certificate Database: # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. # Provide the directory that these files exist. NSSCertificateDatabase /etc/httpd/alias
COMPANY.COM IPA CA CT,C,C company u,u,u CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US C,, DigiCert SHA2 Secure Server CA - DigiCert Inc C,,
Thank you for your help,
G Col via FreeIPA-users wrote:
Hi Rob,
Thank you for your answer.
About replacing the nickname in nss.conf what would be my value?
[root@freeipa openldap]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Would be Server-Cert the value? I think this is the one that cannot find, but what is the one that appears in my certutil command?
I cannot see a nickname here.
This is my current nss.conf at the moment commented:
#NSSNickname Server-Cert
# SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc
# Server Certificate Database: # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. # Provide the directory that these files exist. NSSCertificateDatabase /etc/httpd/alias
COMPANY.COM IPA CA CT,C,C company u,u,u CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US C,, DigiCert SHA2 Secure Server CA - DigiCert Inc C,,
You'd set it to company. This certificate will be removed so if you want to keep a copy of it do so before re-running ipa-server-certinstall.
rob
Thank you Rob for your guidance! I confirm I was able to sorted it out following these instructions.
freeipa-users@lists.fedorahosted.org
-
G Col -
Guillermo Colmena
-
John Keates -
Rob Crittenden