Hi Jonny, responses inline. On Fri, Mar 08, 2019 at 06:16:14PM -0000, Jonny McCullagh via FreeIPA-users wrote: > I can install freeipa with ipa-server-install and no parameters fine. However > I want to be able to use IPA as a sub-CA. I have created root and > intermediate CAs using openssl and attempt to install ipa server with: > > /usr/sbin/ipa-server-install > --external-cert-file=/root/thisserver.domain.dev.cert.pem \ > --external-cert-file=/root/intermediate.cert.pem \ > --external-cert-file=/root/root-ca.cert.pem \ > --external-ca -n domain.dev -r DOMAIN.DEV \ > --hostname="thisserver.domain.dev" \ > --subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \ > --ds-password=topsecret --admin-password=opensesame > > It stops at step 24 with the following message: > > [20/28]: Configure HTTP to proxy connections > [21/28]: restarting certificate server > [22/28]: updating IPA configuration > [23/28]: enabling CA instance > [24/28]: migrating certificate profiles to LDAP > [error] NetworkError: cannot connect to > 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > ipapython.admintool: ERROR cannot connect to > 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > ipapython.admintool: ERROR The ipa-server-install command failed. See > /var/log/ipaserver-install.log for more information > > If I visit the address on port 8443 I do get an error I believe due to an > empty certificate. My browser shows: > > Certificate path length constraint is invalid. Error code: > SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID > > So I have a few questions if anyone can guide me: > 1. Can I resume the install to complete the last 4 installation steps? > The path length constraint in one of the superior CA certificates is being exceeded. There is nothing we can do about that; you'll have to choose a different external CA to sign it. You may need to work with your CA admins to work out a solution. If you are able, please share the certificate chain and we can help analyse exactly where the problem lies.
We should add a sanity check for this to prevent installation from starting, and give a nice error explaining what the problem is. I filed a ticket: https://pagure.io/freeipa/issue/7877 > 2. How can I get the install to use a self-signed cert for the > http/ldap service OR can I supply a signed cert for that purpose? > Self-signed, no. Third party-signed, yes! See ipa-server-install(1), in particular the following options: --http-cert-file --http-cert-name --http-pin --dirsrv-cert-file --dirsrv-cert-name --dirsrv-pin But note, the HTTP certificate is used for port 443 (Apache), NOT for 8443 (Tomcat; Dogtag PKI's HTTP API). There is no way to supply a 3rd party cert for Dogtag/port 8443. In any case, the pathLenConstraint, even if you could work around it to get installation to complete, operationally it is a major problem (i.e. nothing issued by your IPA CA will be trusted). It needs to be resolved. Cheers, Fraser > Thanks in advance. > > IPA version: 4.6.4-10.el7.centos.2.x86_64 > OS: CentOS 7.6 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org