Thanks, Florence
It works now.. my /etc/sssd/sssd.conf was missing with sudo service.. adding below line fixed the issue services = nss, sudo, pam, ssh" Many Thanks Again! Best Regards, Deepak ________________________________ From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf of Florence Blanc-Renaud <f...@redhat.com> Sent: Thursday, September 29, 2016 6:03 AM To: beeth beeth Cc: Freeipa-users Subject: Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA) On 09/29/2016 11:43 AM, beeth beeth wrote: > Thanks for the quick response Florence! > > My goal is the use a 3rd party certificate(such as Verisign cert) for > Web UI(company security requirement), in fact we are not required to use > 3rd party certificate for the LDAP server, but as I mentioned earlier, I > couldn't make the new Verisign cert to work with the Web UI, without > messing up the IPA function(after I updated the nss.conf to use the new > cert in the /etc/httpd/alias db, the ipa_client_install failed). So I > tried to follow the Redhat instruction, to see if I can get the Verisign > cert installed at the most beginning, without using FreeIPA's > own/default certificate), but I got the CSR question. > > I did install IPA without a CA, by following the instruction at > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, Using 3rd part certificates for HTTP/LDAP - FreeIPA<https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP> www.freeipa.org The following command will allow you to use a 3rd party certificate after initially deploying the FreeIPA system. You will need the following files: > but failed to restart HTTPD. When and how can I provide the 3rd-party > certificate? Could you please point me a document about the detail? Hi, you need first to clarify if you want FreeIPA to act as a CA or not. The setup will depend on this choice. - option a) FreeIPA with an embedded CA: you can install FreeIPA with a self-signed CA, then follow the instructions at https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Using 3rd part certificates for HTTP/LDAP - FreeIPA<https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP> www.freeipa.org The following command will allow you to use a 3rd party certificate after initially deploying the FreeIPA system. You will need the following files: in order to replace the WebUI certificate. Please note that there were some bugs in ipa-server-certinstall, preventing httpd from starting (Ticket #4786 [1]). The workaround is to manually update nss.conf (as you did) and manually import the CA certificate into /etc/pki/pki-tomcat/alias, for instance with $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,, - option b) Free IPA without CA the installation instructions are in Installing without a CA [2]. You will provide the certificate that will be used by both the LDAP server and the WebUI in the command options. HTH, Flo. [1] https://fedorahosted.org/freeipa/ticket/4786 [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca > Thanks again! > > > On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com > <mailto:f...@redhat.com>> wrote: > > Hi, > > The instructions that you followed are used when you want to install > FreeIPA with an embedded Certificate Authority (ie FreeIPA is able > to issue certificates), and FreeIPA CA is signed by a 3rd party CA. > > Maybe your goal is just to use a 3rd party certificate for IPA's > LDAP server and Web UI. In this case, you do not need to install > FreeIPA with an embedded CA. You can follow the instructions for > Installing without a CA [1], where you will need to provide a > 3rd-part certificate. > > Hope this clarifies, > Flo. > > [1] > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca > > <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca> > > > > On 09/29/2016 11:03 AM, beeth beeth wrote: > > I am trying to set up IPA servers with Verisign certificate, so > that the > Admin Web console can use public signed certificate to meet > company's > security requirement. But when I try to follow Red Hat's > instructions at > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca > > <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca>, > > 2.3.5. Installing a Server with an External CA as the Root CA, > at the first step it says to generate CSR by adding the > --external-ca > option to the ipa-server-install utility, which does generate a > CRS at > /root/ipa.csr. However, the ipa-server-install command in fact > doesn't > ask for Distinguished Name (DN) or the organization info(like > country, > state, etc.), which are required in the CSR. Without a valid CSR > file, I > can't request for new Verisign certs. Did I miss something? > > Originally I once tried to change the default certificate for > Apache(the > Web Admin console) ONLY to the Verisign one, by adding the > certificates > to the /etc/httpd/alias database with the command: > # ipa-server-certinstall -w --http_pin=test verisign.pk12 > And updated the nss.conf for httpd, so that the new Nickname is > used to > point to the Verisign certs. That worked well for the website. > However, > the IPA client installation failed after that for the > "ipa-client-install": > > ERROR Joining realm failed: libcurl failed to execute the HTTP POST > transaction, explaining: Peer's certificate issuer has been > marked as > not trusted by the user. > > Even I tried to also update the certificate for the Directory > service(ipa-server-certinstall -d ... ), the client installation > still > failed. I believe the new Verisign cert messed up the > communication of > the IPA components. Then I am thinking to install the IPA server > from > scratch with the Verisign cert, but then I hit the CSR problem > described > above. > > Please advise. Thanks! > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project