subject:"\[Freeipa\-users\] External CA"

Re: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

2016-10-02 Thread Matt .

Hi,

No-one has any idea here ? My Root Cert is installed OK.

# certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
COMODOExternalCARoot C,C,C
COMODORSADomainValidationSecureServerCA  C,C,C
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu
COMODORSAAddTrustCA  C,C,C

I hope this helps.

Cheers,

Matt

2016-10-01 17:04 GMT+02:00 Matt . :
> Hi guys,
>
> I have installed successfully an external CA Certificate for
> https/LDAP but now I get this on my ipa-commands:
>
> ipa domainlevel-get
>
> ipa: ERROR: cert validation failed for
> "CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain
> Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
> issuer has been marked as not trusted by the user.)
>
> What can cause this ?
>
> I'm on FreeIPA, version: 4.4.1
>
> I hope we can sort this out.
>
> Thanks,
>
> Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

2016-10-01 Thread Matt .

Hi guys,

I have installed successfully an external CA Certificate for
https/LDAP but now I get this on my ipa-commands:

ipa domainlevel-get

ipa: ERROR: cert validation failed for
"CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain
Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)

What can cause this ?

I'm on FreeIPA, version: 4.4.1

I hope we can sort this out.

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External CA

2013-11-08 Thread Martin Kosek

Thanks for heads up. You mean by the difference between O=MW and
O=MELTWATER.COM?

Petr, is this possible? Can it be validated in the the installer if this is the
root cause?

Martin

On 11/08/2013 01:55 AM, William Leese wrote:
 I was able to solve this by recreating my test CA. I believe the problem
 was with non-matching Organisation between the CSR and CA - but I dont have
 the knowledge to know if this is really required.
 
 Anyhow, things work, despite not having removed the -BEGIN
 CERTIFICATE- lines this time around.
 
 Thanks for the help and sorry for wasting your time!
 
 
 --
 William Leese
 Production Engineer,
 Operations, Asia Pacific
 Meltwater Group
 m: +81 80 4946 0329
 skype: william.leese1
 w: meltwater.com
 
 This email and any attachment(s) is intended for and confidential to the
 addressee. If you are neither the addressee nor an authorized recipient for
 the addressee, please notify us of receipt, delete this message from your
 system and do not use, copy or disseminate the information in, or attached
 to it, in any way. Our messages are checked for viruses but please note
 that we do not accept liability for any viruses which may be transmitted in
 or with this message.
 
 
 
 On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin pvikt...@redhat.com wrote:
 
 On 11/07/2013 08:34 AM, William Leese wrote:


 [root@vagrant-centos-6 CA]# cat /root/server.pem
 Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number: 2 (0x2)
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
 CN=vagrant.localdomain/__emailAddress=t...@t.com mailto:t...@t.com
 mailto:t...@t.com mailto:t...@t.com


   Validity
   Not Before: Nov  6 05:12:09 2013 GMT
   Not After : Nov  6 05:12:09 2014 GMT
   Subject: O=MELTWATER.COM http://MELTWATER.COM
 http://MELTWATER.COM, CN=Certificate

 Authority
 [snip]
 -BEGIN CERTIFICATE-
 MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK
 __UDEL
 MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV
 __BAsM
 A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3
 __DQEJ

 [snip]


 Try removing everything before the -BEGIN CERTIFICATE- line
 from the PEM.

 Well that was unexpected: removing the BEGIN Certificate / End lines now
 makes the install proceed up until:

 The log file for this installation can be found in
 /var/log/ipaserver-install.log
 The PKCS#10 certificate is not signed by the external CA (unknown issuer
 E=x...@x.com mailto:x...@x.com,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=
 JP,C=JP).


 Can you please post more (all) of /var/lig/ipaserver-install.log? We need
 to know where exactly the issue is occuring and what the traceback is.


  Do I need to do anything to make my freshly created internal CA trusted
 for the installation? I've tried the usual magic in /etc/pki/tls/certs,
 but to no avail.


 No, --external_ca_file should have been enough.

 --
 Petrł

 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread William Leese

 You mean by the difference between O=MW and O=MELTWATER.COM?

Yes, but again I don't know for sure. I wasn't very diligent setting up my
test CA.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread Petr Viktorin


On 11/08/2013 09:01 AM, Martin Kosek wrote:

Thanks for heads up. You mean by the difference between O=MW and
O=MELTWATER.COM?

Petr, is this possible? Can it be validated in the the installer if this is the
root cause?


It is possible. It's hard to tell without the logs; looks like the 
failure was inside Dogtag. There may be more issues; for instance I 
don't think we considered PEM files with extra data before the BEGIN 
CERTIFICATE.
I filed a ticket to investigate: 
https://fedorahosted.org/freeipa/ticket/4019



On 11/08/2013 01:55 AM, William Leese wrote:

I was able to solve this by recreating my test CA. I believe the problem
was with non-matching Organisation between the CSR and CA - but I dont have
the knowledge to know if this is really required.

Anyhow, things work, despite not having removed the -BEGIN
CERTIFICATE- lines this time around.

Thanks for the help and sorry for wasting your time!




--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread John Dennis

On 11/08/2013 04:56 AM, Petr Viktorin wrote:
 On 11/08/2013 09:01 AM, Martin Kosek wrote:
 Thanks for heads up. You mean by the difference between O=MW and
 O=MELTWATER.COM?

 Petr, is this possible? Can it be validated in the the installer if this is 
 the
 root cause?

Thats a good question. Typically with cert validation only the CN
component in the subject is cross checked. More aggressive validators
are free to examine all RDN's in the subject (not sure what the PKIX
behavior is with respect other RDN's). Of course this isn't cert
validation but validating a CSR is closely related. The first place I
would look is the Dogtag policy.

 It is possible. It's hard to tell without the logs; looks like the 
 failure was inside Dogtag. There may be more issues; for instance I 
 don't think we considered PEM files with extra data before the BEGIN 
 CERTIFICATE.
 I filed a ticket to investigate: 
 https://fedorahosted.org/freeipa/ticket/4019

FWIW I've authored a set of Python utilities to work with pem files for
OpenStack. They work just fine with PEM blocks embedded with non-PEM
text. I was thinking the utilities would also be useful in FreeIPA (in
fact my experience in IPA is what guided the development of these
utilities. I'll try to get them up in a git repo shortly and send a pointer.

-- 
John

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-07 Thread Petr Viktorin


On 11/07/2013 08:34 AM, William Leese wrote:


[root@vagrant-centos-6 CA]# cat /root/server.pem
Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 2 (0x2)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
CN=vagrant.localdomain/__emailAddress=t...@t.com mailto:t...@t.com
mailto:t...@t.com mailto:t...@t.com

  Validity
  Not Before: Nov  6 05:12:09 2013 GMT
  Not After : Nov  6 05:12:09 2014 GMT
  Subject: O=MELTWATER.COM http://MELTWATER.COM
http://MELTWATER.COM, CN=Certificate

Authority
[snip]
-BEGIN CERTIFICATE-
MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK__UDEL
MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV__BAsM
A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3__DQEJ
[snip]


Try removing everything before the -BEGIN CERTIFICATE- line
from the PEM.

Well that was unexpected: removing the BEGIN Certificate / End lines now
makes the install proceed up until:

The log file for this installation can be found in
/var/log/ipaserver-install.log
The PKCS#10 certificate is not signed by the external CA (unknown issuer
E=x...@x.com 
mailto:x...@x.com,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=JP,C=JP).


Can you please post more (all) of /var/lig/ipaserver-install.log? We 
need to know where exactly the issue is occuring and what the traceback is.



Do I need to do anything to make my freshly created internal CA trusted
for the installation? I've tried the usual magic in /etc/pki/tls/certs,
but to no avail.


No, --external_ca_file should have been enough.

--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-07 Thread William Leese

I was able to solve this by recreating my test CA. I believe the problem
was with non-matching Organisation between the CSR and CA - but I dont have
the knowledge to know if this is really required.

Anyhow, things work, despite not having removed the -BEGIN
CERTIFICATE- lines this time around.

Thanks for the help and sorry for wasting your time!


--
William Leese
Production Engineer,
Operations, Asia Pacific
Meltwater Group
m: +81 80 4946 0329
skype: william.leese1
w: meltwater.com

This email and any attachment(s) is intended for and confidential to the
addressee. If you are neither the addressee nor an authorized recipient for
the addressee, please notify us of receipt, delete this message from your
system and do not use, copy or disseminate the information in, or attached
to it, in any way. Our messages are checked for viruses but please note
that we do not accept liability for any viruses which may be transmitted in
or with this message.



On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin pvikt...@redhat.com wrote:

 On 11/07/2013 08:34 AM, William Leese wrote:


 [root@vagrant-centos-6 CA]# cat /root/server.pem
 Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number: 2 (0x2)
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
 CN=vagrant.localdomain/__emailAddress=t...@t.com mailto:t...@t.com
 mailto:t...@t.com mailto:t...@t.com


   Validity
   Not Before: Nov  6 05:12:09 2013 GMT
   Not After : Nov  6 05:12:09 2014 GMT
   Subject: O=MELTWATER.COM http://MELTWATER.COM
 http://MELTWATER.COM, CN=Certificate

 Authority
 [snip]
 -BEGIN CERTIFICATE-
 MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK
 __UDEL
 MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV
 __BAsM
 A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3
 __DQEJ

 [snip]


 Try removing everything before the -BEGIN CERTIFICATE- line
 from the PEM.

 Well that was unexpected: removing the BEGIN Certificate / End lines now
 makes the install proceed up until:

 The log file for this installation can be found in
 /var/log/ipaserver-install.log
 The PKCS#10 certificate is not signed by the external CA (unknown issuer
 E=x...@x.com mailto:x...@x.com,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=
 JP,C=JP).


 Can you please post more (all) of /var/lig/ipaserver-install.log? We need
 to know where exactly the issue is occuring and what the traceback is.


  Do I need to do anything to make my freshly created internal CA trusted
 for the installation? I've tried the usual magic in /etc/pki/tls/certs,
 but to no avail.


 No, --external_ca_file should have been enough.

 --
 Petrł

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-06 Thread Petr Viktorin


On 11/06/2013 06:32 AM, William Leese wrote:

Hi,

Trying to install freeIPA and have it a sub-ca of an existing one. Sadly
I'm not getting anywhere.

The version I have installed:
ipa-server-3.0.0-26.el6_4.4.x86_64

This is what I run:

ipa-server-install -U -a testtest -p testtest
  --external_cert_file=/root/server.pem
  --external_ca_file=/root/cacert.pem -p testtest  -P testtest   -r
MELTWATER.COM http://MELTWATER.COM

Which runs this as part of the process:

/usr/bin/pkisilent ConfigureCA -cs_hostname
vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com
-cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd
testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user
admin -admin_email root@localhost -admin_password testtest -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM
http://MELTWATER.COM -ldap_host vagrant-centos-6.meltwater.com
http://vagrant-centos-6.meltwater.com -ldap_port 7389 -bind_dn
cn=Directory Manager -bind_password testtest -base_dn o=ipaca -db_name
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=MELTWATER.COM http://MELTWATER.COM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MELTWATER.COM
http://MELTWATER.COM -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=MELTWATER.COM http://MELTWATER.COM
-ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com
http://vagrant-centos-6.meltwater.com,O=MELTWATER.COM
http://MELTWATER.COM -ca_audit_signing_cert_subject_name CN=CA
Audit,O=MELTWATER.COM http://MELTWATER.COM -ca_sign_cert_subject_name
CN=Certificate Authority,O=MELTWATER.COM http://MELTWATER.COM
-external true -ext_ca_cert_file /root/server.pem
-ext_ca_cert_chain_file /root/cacert.pem

All this results in this in the log:
   errorStringFailed to create pkcs12 file./errorString
[snip]
Error in BackupPanel(): updateStatus value is null
ERROR: ConfigureCA: BackupPanel() failure
ERROR: unable to create CA


Can you attach the full error from the log?


Interestingly adding the option -save_p12 false to the pkisilent command
above results in:

importCert string: importing with nickname: ipa-ca-agent
Already logged into to DB
ERROR:exception importing cert Security library failed to decode
certificate package: (-8183) security library: improperly formatted
DER-encoded message.
ERROR: AdminCertImportPanel() during cert import
ERROR: ConfigureCA: AdminCertImportPanel() failure
ERROR: unable to create CA

While the option change seemed innocent, I honestly don't know if its
crucial to the install or not. Anyhow, things don't really progress anyway.

I followed the documentation by signing the /root/ipa.csr with a test,
internal CA but somehow I can't get the install to proceed.

[root@vagrant-centos-6 CA]# cat /root/server.pem
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 2 (0x2)
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
CN=vagrant.localdomain/emailAddress=t...@t.com mailto:t...@t.com
 Validity
 Not Before: Nov  6 05:12:09 2013 GMT
 Not After : Nov  6 05:12:09 2014 GMT
 Subject: O=MELTWATER.COM http://MELTWATER.COM, CN=Certificate
Authority
[snip]
-BEGIN CERTIFICATE-
MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL
MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM
A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ
[snip]


Try removing everything before the -BEGIN CERTIFICATE- line from 
the PEM.



[root@vagrant-centos-6 CA]# cat /root/cacert.pem
-BEGIN CERTIFICATE-
MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM
MAoGA1UECwwDb3BzMRwwGgYD
[snip]

Any help would be welcome.


--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] External CA

2013-11-05 Thread William Leese

Hi,

Trying to install freeIPA and have it a sub-ca of an existing one. Sadly
I'm not getting anywhere.

The version I have installed:
ipa-server-3.0.0-26.el6_4.4.x86_64

This is what I run:

ipa-server-install -U -a testtest -p testtest
 --external_cert_file=/root/server.pem  --external_ca_file=/root/cacert.pem
-p testtest  -P testtest   -r MELTWATER.COM

Which runs this as part of the process:

/usr/bin/pkisilent ConfigureCA -cs_hostname
vagrant-centos-6.meltwater.com-cs_port 9445 -client_certdb_dir
/tmp/tmp-bOrwSu -client_certdb_pwd
testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password testtest -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=MELTWATER.COM -ldap_host
vagrant-centos-6.meltwater.com-ldap_port 7389 -bind_dn cn=Directory
Manager -bind_password testtest
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad
-token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=
MELTWATER.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=
MELTWATER.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MELTWATER.COM
-ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com,O=
MELTWATER.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=
MELTWATER.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=
MELTWATER.COM -external true -ext_ca_cert_file /root/server.pem
-ext_ca_cert_chain_file /root/cacert.pem

All this results in this in the log:
  errorStringFailed to create pkcs12 file./errorString
[snip]
Error in BackupPanel(): updateStatus value is null
ERROR: ConfigureCA: BackupPanel() failure
ERROR: unable to create CA

Interestingly adding the option -save_p12 false to the pkisilent command
above results in:

importCert string: importing with nickname: ipa-ca-agent
Already logged into to DB
ERROR:exception importing cert Security library failed to decode
certificate package: (-8183) security library: improperly formatted
DER-encoded message.
ERROR: AdminCertImportPanel() during cert import
ERROR: ConfigureCA: AdminCertImportPanel() failure
ERROR: unable to create CA

While the option change seemed innocent, I honestly don't know if its
crucial to the install or not. Anyhow, things don't really progress anyway.

I followed the documentation by signing the /root/ipa.csr with a test,
internal CA but somehow I can't get the install to proceed.

[root@vagrant-centos-6 CA]# cat /root/server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
CN=vagrant.localdomain/emailAddress=t...@t.com
Validity
Not Before: Nov  6 05:12:09 2013 GMT
Not After : Nov  6 05:12:09 2014 GMT
Subject: O=MELTWATER.COM, CN=Certificate Authority
[snip]
-BEGIN CERTIFICATE-
MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL
MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM
A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ
[snip]

[root@vagrant-centos-6 CA]# cat /root/cacert.pem
-BEGIN CERTIFICATE-
MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM
MAoGA1UECwwDb3BzMRwwGgYD
[snip]

Any help would be welcome.



--
William Leese
Production Engineer,
Operations, Asia Pacific
Meltwater Group
m: +81 80 4946 0329
skype: william.leese1
w: meltwater.com

This email and any attachment(s) is intended for and confidential to the
addressee. If you are neither the addressee nor an authorized recipient for
the addressee, please notify us of receipt, delete this message from your
system and do not use, copy or disseminate the information in, or attached
to it, in any way. Our messages are checked for viruses but please note
that we do not accept liability for any viruses which may be transmitted in
or with this message.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] external CA install problem

2013-07-25 Thread Martin Kosek

On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
 On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
 On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
 I'm trying to install an IPA server using an external CA.
 
 I ran the ipa-server-install --external-ca command, and got my cert signed by 
 our on-site CA.
 
 So then I go back to install using my certs:
 
 ipa-server-install --external_cert_file=/root/ipa.cer 
 --external_ca_file=/root/CACert.cer
 
 
 I get this for output:
 
 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
   [1/20]: creating certificate server user
   [2/20]: configuring certificate server instance
 ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
 /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu 
 -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd  
 -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin 
 -admin_email root@localhost -admin_password  -agent_name ipa-ca-agent 
 -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
 CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host 
 lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager 
 -bind_password  -base_dn o=ipaca -db_name ipaca -key_size 2048 
 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
  -subsystem_name pki-cad -token_name internal 
 -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
-ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU 
-external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file 
/root/CACert.cer -clone false' returned non-zero exit status 255
 Configuration of CA failed
 
 
 [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
 /var/log/ipaserver-install.log
   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
 line 617, in configure_instanceConfiguring certificate server (pki-cad): 
 Estimated time 3 minutes 30 seconds
   [1/20]: creating certificate server user
   [2/20]: configuring certificate server instance
 ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
 /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu 
 -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd  
 -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin 
 -admin_email root@localhost -admin_password  -agent_name ipa-ca-agent 
 -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
 CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host 
 lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager 
 -bind_password  -base_dn o=ipaca -db_name ipaca -key_size 2048 
 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
  -subsystem_name pki-cad -token_name internal 
 -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
-ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU 
-external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file 
/root/CACert.cer -clone false' returned non-zero exit status 255
 Configuration of CA failed
 [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
 /var/log/ipaserver-install.log
   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
 line 617, in configure_instance
 self.start_creation(runtime=210)
 
   File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 
 358, in start_creation
 method()
 
   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
 line 879, in __configure_instance
 raise RuntimeError('Configuration of CA failed')
 
 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: 
 RuntimeError: Configuration of CA failed
 self.start_creation(runtime=210)
 
   File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 
 358, in start_creation
 method()
 
   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
 line 879, in __configure_instance
 raise RuntimeError('Configuration of CA failed')
 
 
 
 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: 
 RuntimeError: Configuration of CA failed
 
 Any thoughts on

Re: [Freeipa-users] external CA install problem

2013-07-25 Thread Rob Crittenden


Armstrong, Kenneth Lawrence wrote:

On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:

On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
 On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
 On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
 I'm trying to install an IPA server using an external CA.

 I ran the ipa-server-install --external-ca command, and got my cert signed by 
our on-site CA.

 So then I go back to install using my certs:

 ipa-server-install --external_cert_file=/root/ipa.cer 
--external_ca_file=/root/CACert.cer


 I get this for output:

 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
   [1/20]: creating certificate server user
   [2/20]: configuring certificate server instance
 ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 
9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd  -preop_pin 
nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent -agent_key_size 
2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu 
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password  -base_dn 
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA 
-save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv!

er_!

  cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
-ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU 
-external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file 
/root/CACert.cer -clone false' returned non-zero exit status 255
 Configuration of CA failed


 [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
/var/log/ipaserver-install.log
   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 
minutes 30 seconds
   [1/20]: creating certificate server user
   [2/20]: configuring certificate server instance
 ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 
9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd  -preop_pin 
nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent -agent_key_size 
2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu 
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password  -base_dn 
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA 
-save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv!

er_!

  cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
-ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU 
-external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file 
/root/CACert.cer -clone false' returned non-zero exit status 255
 Configuration of CA failed
 [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
/var/log/ipaserver-install.log
   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 617, in configure_instance
 self.start_creation(runtime=210)

   File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 
358, in start_creation
 method()

   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 879, in __configure_instance
 raise RuntimeError('Configuration of CA failed')

 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: 
RuntimeError: Configuration of CA failed
 self.start_creation(runtime=210)

   File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 
358, in start_creation
 method()

   File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 879, in __configure_instance
 raise RuntimeError('Configuration of CA failed')



 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: 
RuntimeError:

Re: [Freeipa-users] external CA install problem

2013-07-25 Thread Armstrong, Kenneth Lawrence

On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
 On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:
 On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
  On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
  On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
  I'm trying to install an IPA server using an external CA.
 
  I ran the ipa-server-install --external-ca command, and got my cert signed 
  by our on-site CA.
 
  So then I go back to install using my certs:
 
  ipa-server-install --external_cert_file=/root/ipa.cer 
  --external_ca_file=/root/CACert.cer
 
 
  I get this for output:
 
  Configuring certificate server (pki-cad): Estimated time 3 minutes 30 
  seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
  ipa : CRITICAL failed to configure ca instance Command 
  '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
  lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir 
  /tmp/tmp-cQZB3x -client_certdb_pwd  -preop_pin 
  nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email 
  root@localhost -admin_password  -agent_name ipa-ca-agent 
  -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
  CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host 
  lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager 
  -bind_password  -base_dn o=ipaca -db_name ipaca -key_size 2048 
  -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
   -subsystem_name pki-cad -token_name internal 
  -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
  -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
  -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
  -ca_serv!
 er_!
   cert_subje
 ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_sign_cert_subject_name CN=Certificate 
 Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file 
 /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' 
 returned non-zero exit status 255
  Configuration of CA failed
 
 
  [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
  /var/log/ipaserver-install.log
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
  line 617, in configure_instanceConfiguring certificate server (pki-cad): 
  Estimated time 3 minutes 30 seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
  ipa : CRITICAL failed to configure ca instance Command 
  '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
  lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir 
  /tmp/tmp-cQZB3x -client_certdb_pwd  -preop_pin 
  nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email 
  root@localhost -admin_password  -agent_name ipa-ca-agent 
  -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
  CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host 
  lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager 
  -bind_password  -base_dn o=ipaca -db_name ipaca -key_size 2048 
  -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
   -subsystem_name pki-cad -token_name internal 
  -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
  -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
  -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
  -ca_serv!
 er_!
   cert_subje
 ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
 -ca_sign_cert_subject_name CN=Certificate 
 Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file 
 /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' 
 returned non-zero exit status 255
  Configuration of CA failed
  [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
  /var/log/ipaserver-install.log
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
  line 617, in configure_instance
  self.start_creation(runtime=210)
 
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, 
  line 358, in start_creation
  method()
 
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
  line 879, in __configure_instance
  raise RuntimeError('Configuration of CA failed')
 
  2013-07-19T17:02:51Z INFO The ipa-server-install command failed, 
  exception: RuntimeError: Configuration of CA failed
  self.start_creation(runtime=210)
 
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, 
  line 358, in start_creation
  method()
 
File

Re: [Freeipa-users] external CA install problem

2013-07-25 Thread Martin Kosek


On 07/25/2013 06:53 PM, Armstrong, Kenneth Lawrence wrote:

On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote:

Armstrong, Kenneth Lawrence wrote:
 On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:
 On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
  On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
  On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
  I'm trying to install an IPA server using an external CA.
 
  I ran the ipa-server-install --external-ca command, and got my cert signed 
by our on-site CA.
 
  So then I go back to install using my certs:
 
  ipa-server-install --external_cert_file=/root/ipa.cer 
--external_ca_file=/root/CACert.cer
 
 
  I get this for output:
 
  Configuring certificate server (pki-cad): Estimated time 3 minutes 30 
seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
  ipa : CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu 
-cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd  -preop_pin 
nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost 
-admin_password  -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type 
rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host 
lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password 
 -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm 
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name 
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s!

erv!

  er_!
   cert_subje
 ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
-ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU 
-external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file 
/root/CACert.cer -clone false' returned non-zero exit status 255
  Configuration of CA failed
 
 
  [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
/var/log/ipaserver-install.log
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 
30 seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
  ipa : CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu 
-cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd  -preop_pin 
nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost 
-admin_password  -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type 
rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host 
lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password 
 -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm 
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name 
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s!

erv!

  er_!
   cert_subje
 ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU 
-ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU 
-external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file 
/root/CACert.cer -clone false' returned non-zero exit status 255
  Configuration of CA failed
  [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail 
/var/log/ipaserver-install.log
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 617, in configure_instance
  self.start_creation(runtime=210)
 
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, 
line 358, in start_creation
  method()
 
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 879, in __configure_instance
  raise RuntimeError('Configuration of CA failed')
 
  2013-07-19T17:02:51Z INFO The ipa-server-install command failed, 
exception: RuntimeError: Configuration of CA failed
  self.start_creation(runtime=210)
 
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, 
line 358, in start_creation
  method()
 
File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, 
line 879, in

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread Dmitri Pal

On 02/20/2013 10:20 PM, Kendrick . wrote:
 I am trying to get cacert to sign the csr.  I have tried searching
 about it and cant figure out what is what.  some information i have
 found suggests it wont be possible. 

 when I go to get the csr signed i get

 The following hostnames were rejected because the system couldn't
 link them to your account, if they are valid please verify the domains
 against your account.
 Rejected: Certificate Authority
 https://www.cacert.org/account.php?id=7newdomain=Certificate%20Authority  
  


 I would prefer my certificates to be valid on the internet as some of
 the user certs would be used to sign emails and such.  any advice
 would be appriciated.


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

Can you please be more specific about what you are doing?
The linking to the external CA is one time operation during the initial
installation.
If you want to use the IPA as a subordinate CA you need to specify a
flag during installation (it seems that you are doing that based on the
comments above). The installation will stop indicating that you need to
take CSR and sign by the external CA. So you should take the CSR and
sign. Then you present the result back to IPA and continue the installation.

Based on the description above it is not clear which step is failing. 


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread Kendrick .

It is part of my initial setup.  I copied the ipa.csr in to cacert's
signing system so that the certificates would be valid outside of my local
domain.  and it errors because the host information said certificate
authority instead of the host name if I understand that error mesage
properly.

I am trying to get the csr to provide all the information needed by cacerts
free signing service.  I was expecting to be able to use the user
certificates that freeipa makes to sign emails and such that would go
externally.





   -
   - *From*: Dmitri Pal dpal redhat com
   - *To*: freeipa-users redhat com
   - *Subject*: Re: [Freeipa-users] --external-ca is a bit confusing.
   - *Date*: Thu, 21 Feb 2013 03:30:45 -0500

--
 On 02/20/2013 10:20 PM, Kendrick . wrote:

I am trying to get cacert to sign the csr.  I have tried searching about it
and cant figure out what is what.  some information i have found suggests
it wont be possible.

when I go to get the csr signed i get

The following hostnames were rejected because the system couldn't link
them to your account, if they are valid please verify the domains against
your account.
Rejected: Certificate
Authorityhttps://www.cacert.org/account.php?id=7newdomain=Certificate%20Authority


I would prefer my certificates to be valid on the internet as some of the
user certs would be used to sign emails and such.  any advice would be
appriciated.


___
Freeipa-users mailing listFreeipa-users redhat
comhttps://www.redhat.com/mailman/listinfo/freeipa-users


Can you please be more specific about what you are doing?
The linking to the external CA is one time operation during the initial
installation.
If you want to use the IPA as a subordinate CA you need to specify a flag
during installation (it seems that you are doing that based on the comments
above). The installation will stop indicating that you need to take CSR and
sign by the external CA. So you should take the CSR and sign. Then you
present the result back to IPA and continue the installation.

Based on the description above it is not clear which step is failing.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread John Dennis


On 02/21/2013 07:23 PM, Kendrick . wrote:

It is part of my initial setup.  I copied the ipa.csr in to cacert's
signing system so that the certificates would be valid outside of my
local domain.  and it errors because the host information said
certificate authority instead of the host name if I understand that
error mesage properly.

I am trying to get the csr to provide all the information needed by
cacerts free signing service.  I was expecting to be able to use the
user certificates that freeipa makes to sign emails and such that would
go externally.



The CA will only sign a cert for a domain registered to you. To see what 
domain the CSR is for dump it's contents using openssl, for example:


openssl req -in ipa.csr -noout -text

Does the CN in the subject match the domain you registered with 
cacert.org? If not it's not going to sign it.


But wait, there's more, you're not just asking cacert to sign a plain 
cert you're asking it to sign a CA cert effectively creating a sub-CA of 
cacert. That means with that cert you can issue new certs and cacert 
will vouch for them, but of course they can't control who you're 
issuing certs to which is a significant security issue. This FAQ entry 
from cacert will help clarify:


http://wiki.cacert.org/SubRoot

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] --external-ca is a bit confusing.

2013-02-20 Thread Kendrick .

I am trying to get cacert to sign the csr.  I have tried searching about it
and cant figure out what is what.  some information i have found suggests
it wont be possible.

when I go to get the csr signed i get

The following hostnames were rejected because the system couldn't link
them to your account, if they are valid please verify the domains against
your account.
Rejected: Certificate
Authorityhttps://www.cacert.org/account.php?id=7newdomain=Certificate%20Authority


I would prefer my certificates to be valid on the internet as some of the
user certs would be used to sign emails and such.  any advice would be
appriciated.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

[Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

Re: [Freeipa-users] External CA

Re: [Freeipa-users] External CA

Re: [Freeipa-users] External CA

Re: [Freeipa-users] External CA

Re: [Freeipa-users] External CA

Re: [Freeipa-users] External CA

Re: [Freeipa-users] External CA

[Freeipa-users] External CA

Re: [Freeipa-users] external CA install problem

Re: [Freeipa-users] external CA install problem

Re: [Freeipa-users] external CA install problem

Re: [Freeipa-users] external CA install problem

Re: [Freeipa-users] --external-ca is a bit confusing.

Re: [Freeipa-users] --external-ca is a bit confusing.

Re: [Freeipa-users] --external-ca is a bit confusing.

[Freeipa-users] --external-ca is a bit confusing.

18 matches

Site Navigation

Mail list logo

Footer information