Kevin Vasko via FreeIPA-users wrote: > How would I validate that certs are getting added properly on a CentOS > machine system wide store? > > I’m going to test it today to find out if this is a problem unique to > Ubuntu/CentOS.
On Fedora the chain is put into /etc/pki/ca-trust/source/anchors/ipa-ca.crt and update-ca-trust is executed. There is no Debian/Ubuntu equivalent in the upstream source (it's possible it is done in packaging). You could try something like: cp /etc/ipa/ca.crt /usr/local/share/ca-certificates/ipa-ca.crt update-ca-certificates rob > > -Kevin > >> On Oct 9, 2019, at 10:44 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: >> >> On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote: >>> Seems to happen on both Ubuntu 16.04 and 18.04. >>> >>> $ lsb_release -a >>> No LSB modules are available. >>> Distributor ID: Ubuntu >>> Description: Ubuntu 16.04.6 LTS >>> Release: 16.04 >>> Codename: xenial >>> >>> $ firefox --version >>> Mozilla Firefox 67.0.4 >>> >>> freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed] >>> freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic] >>> firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64 >>> >>> >>> >>> Ubuntu 18.04 machine: >>> >>> $ lsb_release -a >>> No LSB modules are available. >>> Distributor ID: Ubuntu >>> Description: Ubuntu 18.04.3 LTS >>> Release: 18.04 >>> Codename: bionic >>> >>> freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed] >>> freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all >>> [installed,automatic] >>> firefox/bionic-updates,bionic-security,now >>> 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed] >>> >>> Where is the system trust store located? I was going to validate that >>> the freeipa ca.crt is added to the system trust store. If its not >>> there how do you add the ca.crt to the system trust store? >>> >>> Should the ipa-install-client command add the system wide trust store? >>> >> Thanks for the details. I do not know about system trust on Ubuntu. >> It could be that ipa-client on Ubuntu does add the IPA CA to system >> trust, but the Firefox/Chrome packages ignore the system trust >> store. >> >> Hopefully someone more familiar with Ubuntu can clarify. >> >> Cheers, >> Fraser >> >>> I'll try this on CentOS tomorrow to see if its just an Ubuntu issue. >>> >>>> On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale <ftwee...@redhat.com> wrote: >>>> >>>> On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users >>>> wrote: >>>>> Hello, >>>>> >>>>> I’m wanting to make our https servers use a trusted certificate within >>>>> our LAN only. So for example if I have websrv1.ny.example.com when a user >>>>> uses a machine that’s enrolled into our realm and they visit >>>>> https://websrv1.ny.example.com they shouldn’t be prompted to accept the >>>>> self signed certificate. >>>>> >>>>> I think I’m pretty close but I’m missing a small part. >>>>> >>>>> The ipa server is all setup and working. Hosts are enrolled to ipa and >>>>> have the /etc/ipa/ca.crt. >>>>> >>>>> I have created a service for the http server in IPA. I have obtained a >>>>> .key file and .crt file for my web server. Those keys for the web server >>>>> are in the appropriate location and the web server is pointing at the >>>>> certs correctly. >>>>> >>>>> On my clients when I go to the web servers URl I am no longer getting a >>>>> “self signed cert” error message in the browser. >>>>> >>>>> That message has now changed to “unverified certificate authority”. Which >>>>> basically indicates to me that the browser doesn’t know if this >>>>> certificate authority should/can be trusted. >>>>> >>>>> If i go in the browser (firefox or chrome) in the certificate authority >>>>> section and import the /etc/ipa/ca.crt i get no errors in the browser >>>>> about it being unverified. >>>>> >>>>> So my question is, what am I missing to make the /etc/ipa/ca.crt file >>>>> globally available for browsers to pick up the certificate automatically? >>>>> >>>>> when we enroll a host we simply do >>>>> >>>>> freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir >>>>> >>>>> Accept the defaults, put in the password to enroll and that’s it. Is >>>>> there something I’m missing? >>>>> >>>>> -Kevin >>>>> >>>> Looks like the browser is not using the system trust store. Please >>>> provide full details of operating system and package versions for >>>> both freeipa and browser packages. >>>> >>>> Cheers, >>>> Fraser > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
