[Freeipa-users] IPA install with custom CA fails at SSL: CERTIFICATE_VERIFY_FAILED

Fri, 08 Mar 2019 10:16:41 -0800 

I can install freeipa with ipa-server-install and no parameters fine. However I 
want to be able to use IPA as a sub-CA. I have created root and intermediate 
CAs using openssl and attempt to install ipa server with:

/usr/sbin/ipa-server-install 
--external-cert-file=/root/thisserver.domain.dev.cert.pem \
        --external-cert-file=/root/intermediate.cert.pem \
        --external-cert-file=/root/root-ca.cert.pem \
        --external-ca -n domain.dev -r DOMAIN.DEV \
        --hostname="thisserver.domain.dev" \
        --subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \
        --ds-password=topsecret --admin-password=opensesame

It stops at step 24 with the following message:

  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: updating IPA configuration
  [23/28]: enabling CA instance
  [24/28]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to 
'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR    cannot connect to 
'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR    The ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

If I visit the address on port 8443 I do get an error I believe due to an empty 
certificate. My browser shows: 

Certificate path length constraint is invalid. Error code: 
SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 

So I have a few questions if anyone can guide me:
1. Can I resume the install to complete the last 4 installation steps?
2. How can I get the install to use a self-signed cert for the http/ldap 
service OR can I supply a signed cert for that purpose?

Thanks in advance. 

IPA version: 4.6.4-10.el7.centos.2.x86_64
OS: CentOS 7.6
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to