Hi Peter,
On 21.12.2015 17:43, Peter Pakos wrote:
Hi,
I tried to install a wildcard SSL certificate for HTTP/LDAP in our
FreeIPA 4.1 (Centos 7.1) installation by following instructions from
wiki page at
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP:
Unfortunately ipa-server-certinstall is currently broken. We plan to fix
it some day, see <https://fedorahosted.org/freeipa/ticket/4785> and
<https://fedorahosted.org/freeipa/ticket/4786>.
# ipa-server-certinstall -w -d shdc01.ipa.wandisco.com.pem
Directory Manager password:
Enter private key unlock password:
Command /usr/bin/certutil' '-d' '/etc/httpd/alias' '-D' '-n'
'Server-Cert returned non-zero exit status 255
After this I was unable to start httpd service, error_log revealed the
following error messages:
[Wed Nov 25 18:15:44.262751 2015] [:error] [pid 22124] Certificate not
found: 'Server-Cert'
In order to resurrect the service I had to change NSSNickname in
/etc/httpd/conf.d/nss.conf to match the new certificate's nickname.
Although the httpd service started, I couldn't get into Authentication
tab in FreeIPA UI - I kept getting the following error message: "Unable
to communicate with CMS (Service Unavailable)".
[root@shdc01 ~]# yum list installed | grep ipa-server
ipa-server.x86_64 4.1.0-18.el7.centos.4 @updates
[root@shdc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
At this point I was forced to restore our FreeIPA installation from a
snapshot as I wasn't able to fix it (I got some useful hints from
#freeipa Freenode channel however we still didn't manage to fully
resurrect the server).
My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?
1. Install the CA certificate chain of the issuer of the 3rd party
certificate to IPA using "ipa-cacert-manage install"
2. Run "ipa-certupdate" to update CA certificate related IPA configuration.
3. Manually import the server certificate into the
/etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
LDAP in the nsSSLPersonalitySSL attribute of
cn=RSA,cn=encryption,cn=config and restart DS.
4. Manually import the server certificate into the /etc/httpd/alias NSS
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
using the NSSNickname directive and restart httpd.
Many thanks in advance.
BTW, I also added a comment describing this problem to the ticket at
https://fedorahosted.org/freeipa/ticket/5496.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
