Hi, Is there any update on this ? I need to install 3 other instances but I would like to know upfront if it might be a bug.
Thanks, Matt 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi....@gmail.com>: > Hi Florance, > > Sure I can, here you go: > > Fedora 24 > Freeipa VERSION: 4.4.2, API_VERSION: 2.215 > > I installed this server as self-signed CA > > Cheers, > > Matt > > > > > 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: >> On 02/14/2017 05:43 PM, Matt . wrote: >>> >>> Hi Florance, >>> >>> Thanks for your update, good to see some good into about it. For >>> Comodo I have install all these: >>> >>> AddTrustExternalCARoot.crt >>> COMODORSAAddTrustCA.crt >>> COMODORSADomainValidationSecureServerCA.crt >>> >>> Where COMODORSADomainValidationSecureServerCA.crt is not needed as >>> far as I know but the same issues still exist, the Server-Cert is >>> removed again on ipa-certupdate and fails. >>> >>> I have tried this with setenforce 0 >>> >> Hi Matt, >> >> can you provide more info in order to reproduce the issue? >> - which OS are you using >> - IPA version >> - how did you install ipa server (CA-less or with self-signed CA or with >> externally-signed CA?) >> >> Thanks, >> Flo. >> >> >>> Cheers, >>> >>> Matt >>> >>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: >>>> >>>> On 02/14/2017 02:54 PM, Matt . wrote: >>>>> >>>>> >>>>> Certs are valid, I will check what you mentioned. >>>>> >>>>> I'm also no fan of bundles, more the seperate files but this doesn't >>>>> seem to work always. At least for the CAroot a bundle was required. >>>>> >>>> Hi Matt, >>>> >>>> if your certificate was provided by an intermediate CA, you need to add >>>> each >>>> CA before running ipa-server-certinstall (start from the top-level CA >>>> with >>>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate >>>> CA >>>> with ipa-cacert-manage install, then ipa-certupdate etc...) >>>> >>>> There is also a known issue with ipa-certupdate and SELinux in enforcing >>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024). >>>> >>>> Flo. >>>> >>>> >>>>> Matt >>>>> >>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] >>>>> <dsulliv...@bsd.uchicago.edu>: >>>>>> >>>>>> >>>>>> Have you validated the cert (and dumped the contents) from the command >>>>>> line using the openssl tools? I’ve seen the message you are seeing >>>>>> before, >>>>>> for some reason I seem to remember that it has to do with either a >>>>>> missing >>>>>> or an extra - at either the -----BEGIN CERTIFICATE---- or -----END >>>>>> CERTIFICATE---- (an error from copy and pasting and not copying the >>>>>> actual >>>>>> file). >>>>>> >>>>>> I’ve never used certupdate so if what is described above doesn’t help >>>>>> somebody else will have to chime in. >>>>>> >>>>>> Dan >>>>>> >>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi....@gmail.com> wrote: >>>>>>> >>>>>>> Hi Dan, >>>>>>> >>>>>>> Ues i have tried that and I get the message that it misses the full >>>>>>> chain for the certificate. >>>>>>> >>>>>>> My issue is more, why is the Server-Cert being removed on a certupdate >>>>>>> ? >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] >>>>>>> <dsulliv...@bsd.uchicago.edu>: >>>>>>>> >>>>>>>> >>>>>>>> Is the chain in mydomain_com_bundle.crt? Have you tried it with the >>>>>>>> cert only (disclaimer: I’ve never done this). >>>>>>>> >>>>>>>> Dan >>>>>>>> >>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi....@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> I'm trying to install a 3rd party certificate using: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA >>>>>>>>> >>>>>>>>> When I run the install command for the certificate itself: >>>>>>>>> >>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key >>>>>>>>> mydomain_com_bundle.crt >>>>>>>>> Directory Manager password: >>>>>>>>> >>>>>>>>> Enter private key unlock password: >>>>>>>>> >>>>>>>>> list index out of range >>>>>>>>> The ipa-server-certinstall command failed. >>>>>>>>> >>>>>>>>> >>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from >>>>>>>>> /etc/httpd/alias and the install fails because of this. >>>>>>>>> >>>>>>>>> What can I do to solve this ? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project