[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[Florence Blanc-Renaud via FreeIPA-users]

On 2/21/20 5:56 PM, dmitriys via FreeIPA-users wrote:

Hi!
I use freeipa-server  4.7.0~pre1+git20180411-2ubuntu2  on Ubuntu 18.04.4 LTS

I installed  freeipa-serve  in default mode ( ipa-server-install )
Now i try change certificate on Comodo as write in this article 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
my steps:
1 ipa-cacert-manage -p 'password' -n COMODO -t C,, install 
addtrustexternalcaroot2.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

Hi,
Looks like you forgot the ipa-certupdate step.

HTH,
flo

2 ipa-server-certinstall -w -d /home/xattab/ldap_comodo.key ldap_comodo.pem -vvv
get error
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 
'dbm:/tmp/tmpPsRUhs', '-V', '-n', 'CN=ldap.soft2bet.com', '-u', 'V', '-f', 
'/tmp/tmpPsRUhs/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's 
Certificate issuer is not recognized.

ipapython.ipautil: DEBUG: stderr=
ipapython.admintool: DEBUG:   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
     return_value = self.run()
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 113, in run
     self.install_dirsrv_cert()
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 139, in install_dirsrv_cert
     'restart_dirsrv %s' % serverid)
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 291, in import_cert
     self.check_chain(pkcs12_file.name, pin, cdb)
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 277, in check_chain
     "to install the CA certificate." % str(e))

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, 
exception: ScriptError: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

How to fix it ?
Can anybody help me ))) ?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org