This actually died after restart so I ended up starting over... So here is the process I did that looks like it works and also survives restart
Step 1 - Before install http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 -- start at Convert crt file in PEM format and do that whole section completely Step 2 - Install IPA server using the p12 file from before and also the intermediate.crt from your provider (I'm not sure why this isn't documented anywhere but I found it in my searches) ipa-server-install --http_pkcs12 DOMAIN.COM.p12 --dirsrv_pkcs12 collectivebias.com.p12 --root-ca-file intermediate.crt Step 3 - re add certs (for some reason I don't know but it's needed) (from http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) ipa-server-certinstall -w --http_pin=PKPASSWORD DOMAIN.COM.p12 ipa-server-certinstall -d --dirsrv_pin=PKPASSWORD DOMAIN.COM.p12 Step 4 reboot Step 5 You can dance if you wanna... On Mon, Aug 25, 2014 at 2:02 PM, Chris Whittle <cwhi...@gmail.com> wrote: > I spoke a little too soon... It's working fine (browser is using new cert > and also ldaps is using the new cert) except when you go to the certs page > on the ui. > https://DOMAIN/ipa/ui/#/e/cert/search > > An error has occurred (IPA Error 4301: CertificateOperationError) > > Certificate operation cannot be completed: Unable to communicate with CMS > (Internal Server Error) > > > On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle <cwhi...@gmail.com> wrote: > >> ok I think I got it again... If anyone is looking for this here is the >> answer that worked for me.... >> >> >> 1. Here are the steps >> 1. >> >> http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 >> -- start at Convert crt file in PEM format and do that whole >> section completely >> 2. Then with the p12 from above you get do this (skip the line >> about generating a new one) >> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> 1. If you run across the error "/etc/ipa/ca.crt contains more >> than one certificate" you will need to go into /etc/ipa/ca.crt, >> back it up >> and then try removing one of the certs and try >> ipa-server-certinstall >> from above again (if it doesn't work revert ca.crt to the original >> and then >> remove the other) >> 3. Then restart the both instances (bottom of the freeipa link) >> and you should be good to go. >> >> >> On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle <cwhi...@gmail.com> wrote: >> >>> I found this but I think it's just IPA certs? >>> http://www.freeipa.org/page/V4/CA_certificate_renewal >>> >>> Basically I want to use my existing wildcard cert for https and ldaps... >>> I did this on my 3.3 install on CentOS but now I'm on a 4 install on >>> Fedora Core. >>> >>> Any help would be more than appreciated! >>> Thanks! >>> >>> >>> On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle <cwhi...@gmail.com> >>> wrote: >>> >>>> I have 4 installed and I get it when I try to generate the pk12 >>>> On Aug 25, 2014 3:50 AM, "Jan Cholasta" <jchol...@redhat.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> Dne 25.8.2014 v 03:04 Chris Whittle napsal(a): >>>>> >>>>>> Trying to do this >>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >>>>>> >>>>>> And I keep getting "Error unable to get local issuer certificate >>>>>> getting >>>>>> chain." >>>>>> >>>>> >>>>> Where are you getting this error? ipa-server-certinstall, or httpd, or >>>>> somewhere else? >>>>> >>>>> What version of ipa do you have installed? >>>>> >>>>> >>>>>> I'm wondering if it's because of this from the doc >>>>>> "The certificate in mysite.crt must be signed by the CA used when >>>>>> installing FreeIPA." >>>>>> but it might not either... >>>>>> >>>>> >>>>> In this case you should get a "file.p12 is not signed by >>>>> /etc/ipa/ca.crt, or the full certificate chain is not present in the >>>>> PKCS#12 file" error in ipa-server-certinstall. >>>>> >>>>> >>>>>> Any ideas? >>>>>> >>>>>> >>>>>> >>>>> Honza >>>>> >>>>> -- >>>>> Jan Cholasta >>>>> >>>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project