On 19/10/15 21:06, Rob Crittenden wrote:
James Masson wrote:
Hi list,
I successfully have IPA working with CA certs signed by an upstream Dogtag.
Now I'm trying to use a CA cert signed by a different type of CA - Vault.
Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.
Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence: CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!
rob
Hi Rob,
Thanks for the reply.
I do present the IPA installer with both the CA and the IPA cert - the
IPAs python-based install code is happy with the cert chain, but the
Java based dogtag code chokes on it.
OpenSSL is happy with it too.
#####
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###
Any hints on how to reproduce this with more debug output? I'd like to
know exactly what Dogtag doesn't like about the certificate.
thanks
James M
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project