Hi Jonny, responses inline.
On Fri, Mar 08, 2019 at 06:16:14PM -, Jonny McCullagh via FreeIPA-users
wrote:
> I can install freeipa with ipa-server-install and no parameters fine. However
> I want to be able to use IPA as a sub-CA. I have created root and
> intermediate CAs using openssl and attempt to install ipa server with:
>
> /usr/sbin/ipa-server-install
> --external-cert-file=/root/thisserver.domain.dev.cert.pem \
> --external-cert-file=/root/intermediate.cert.pem \
> --external-cert-file=/root/root-ca.cert.pem \
> --external-ca -n domain.dev -r DOMAIN.DEV \
> --hostname="thisserver.domain.dev" \
> --subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \
> --ds-password=topsecret --admin-password=opensesame
>
> It stops at step 24 with the following message:
>
> [20/28]: Configure HTTP to proxy connections
> [21/28]: restarting certificate server
> [22/28]: updating IPA configuration
> [23/28]: enabling CA instance
> [24/28]: migrating certificate profiles to LDAP
> [error] NetworkError: cannot connect to
> 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
> ipapython.admintool: ERRORcannot connect to
> 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
> ipapython.admintool: ERRORThe ipa-server-install command failed. See
> /var/log/ipaserver-install.log for more information
>
> If I visit the address on port 8443 I do get an error I believe due to an
> empty certificate. My browser shows:
>
> Certificate path length constraint is invalid. Error code:
> SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID
>
> So I have a few questions if anyone can guide me:
> 1. Can I resume the install to complete the last 4 installation steps?
>
The path length constraint in one of the superior CA certificates is
being exceeded. There is nothing we can do about that; you'll have
to choose a different external CA to sign it. You may need to work
with your CA admins to work out a solution. If you are able, please
share the certificate chain and we can help analyse exactly where
the problem lies.
We should add a sanity check for this to prevent installation from
starting, and give a nice error explaining what the problem is. I
filed a ticket: https://pagure.io/freeipa/issue/7877
> 2. How can I get the install to use a self-signed cert for the
> http/ldap service OR can I supply a signed cert for that purpose?
>
Self-signed, no. Third party-signed, yes! See
ipa-server-install(1), in particular the following options:
--http-cert-file
--http-cert-name
--http-pin
--dirsrv-cert-file
--dirsrv-cert-name
--dirsrv-pin
But note, the HTTP certificate is used for port 443 (Apache), NOT
for 8443 (Tomcat; Dogtag PKI's HTTP API). There is no way to supply
a 3rd party cert for Dogtag/port 8443.
In any case, the pathLenConstraint, even if you could work around it
to get installation to complete, operationally it is a major problem
(i.e. nothing issued by your IPA CA will be trusted). It needs to
be resolved.
Cheers,
Fraser
> Thanks in advance.
>
> IPA version: 4.6.4-10.el7.centos.2.x86_64
> OS: CentOS 7.6
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org