Hi,
We operate our own certificate authority for our internal infrastructure and I'd like to replace the certificate that comes with the FreeIPA installation with one we've generated for this host. This is FreeIPA, version: 4.6.6, running on CentOS Linux release 7.8.2003 (Core).
I looked around in the docs and couldn't see anything for this particular task. I did add a certificate to the FreeIPA host (under Identity->Host), but that doesn't seem to be the correct (or only) thing to do. In the certificates area, it appears, but has incomplete information and isn't marked VALID. What is the procedure for doing this?
Thanks,
Chuck
Chuck Musser via FreeIPA-users wrote:
Hi,
We operate our own certificate authority for our internal infrastructure and I'd like to replace the certificate that comes with the FreeIPA installation with one we've generated for this host. This is FreeIPA, version: 4.6.6, running on CentOS Linux release 7.8.2003 (Core).
I looked around in the docs and couldn't see anything for this particular task. I did add a certificate to the FreeIPA host (under Identity->Host), but that doesn't seem to be the correct (or only) thing to do. In the certificates area, it appears, but has incomplete information and isn't marked VALID. What is the procedure for doing this?
It isn't something you can do in the UI. See ipa-server-certinstall.
rob
Thanks for pointing me in the right direction. I created a PKCS#12 file with the certificate, private key and the full certificate chain and tried to install it, but it needed to have my CA's cert installed, which it said to do with "ipa-cacert-manage" and "ipa-certupdate". The install step succeeded but the certupdate one failed with:
sudo ipa-certupdate --verbose ipapython.admintool: DEBUG: Not logging to a file ipalib.rpc: INFO: trying https://aaa.mgmt.lax4.internal/ipa/json ipalib.backend: DEBUG: Created connection context.rpcclient_140007360051600 ipalib.rpc: INFO: [try 1]: Forwarding 'schema' to json server 'https://aaa.mgmt.lax4.internal/ipa/json' ipalib.rpc: DEBUG: New HTTP connection (aaa.mgmt.lax4.internal) ipalib.rpc: DEBUG: HTTP connection destroyed (aaa.mgmt.lax4.internal) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 699, in single_request self.get_auth_info() File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info self._handle_exception(e, service=service) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception raise errors.CCacheError() CCacheError: did not receive Kerberos credentials ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140007360051600 ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py", line 59, in run api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 739, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, in load_plugins for package in self.packages: File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 949, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 134, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 553, in get_package schema = Schema(client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 401, in __init__ fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch schema = client.forward(u'schema', **kwargs)['result'] File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1151, in forward return self._call_command(command, params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1127, in _call_command return command(*params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1281, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1248, in __request verbose=self.__verbose >= 3, File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 699, in single_request self.get_auth_info() File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info self._handle_exception(e, service=service) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception raise errors.CCacheError()
ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: CCacheError: did not receive Kerberos credentials ipapython.admintool: ERROR: did not receive Kerberos credentials ipapython.admintool: ERROR: The ipa-certupdate command failed.
Not sure what Kerberos has to do with it.
On Tue, Oct 06, 2020 at 09:07:17PM -0000, Chuck Musser via FreeIPA-users wrote:
Thanks for pointing me in the right direction. I created a PKCS#12 file with the certificate, private key and the full certificate chain and tried to install it, but it needed to have my CA's cert installed, which it said to do with "ipa-cacert-manage" and "ipa-certupdate". The install step succeeded but the certupdate one failed with:
sudo ipa-certupdate --verbose ipapython.admintool: DEBUG: Not logging to a file ipalib.rpc: INFO: trying https://aaa.mgmt.lax4.internal/ipa/json ipalib.backend: DEBUG: Created connection context.rpcclient_140007360051600 ipalib.rpc: INFO: [try 1]: Forwarding 'schema' to json server 'https://aaa.mgmt.lax4.internal/ipa/json' ipalib.rpc: DEBUG: New HTTP connection (aaa.mgmt.lax4.internal) ipalib.rpc: DEBUG: HTTP connection destroyed (aaa.mgmt.lax4.internal) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 699, in single_request self.get_auth_info() File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info self._handle_exception(e, service=service) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception raise errors.CCacheError() CCacheError: did not receive Kerberos credentials ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140007360051600 ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py", line 59, in run api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 739, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, in load_plugins for package in self.packages: File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 949, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 134, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 553, in get_package schema = Schema(client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 401, in __init__ fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch schema = client.forward(u'schema', **kwargs)['result'] File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1151, in forward return self._call_command(command, params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1127, in _call_command return command(*params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1281, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1248, in __request verbose=self.__verbose >= 3, File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 699, in single_request self.get_auth_info() File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 651, in get_auth_info self._handle_exception(e, service=service) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 608, in _handle_exception raise errors.CCacheError()
ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: CCacheError: did not receive Kerberos credentials ipapython.admintool: ERROR: did not receive Kerberos credentials ipapython.admintool: ERROR: The ipa-certupdate command failed.
Not sure what Kerberos has to do with it.
Do a `sudo kinit` before you `sudo ipa-certupdate`. ipa-certupdate needs a Kerberos ticket to retrieve trusted certs from the directory.
Cheers, Fraser
ok got it. I did the kinit to do the update and was able to import the cert and update the certs collection.
It took several attempts and the above advice to get the right procedure, but to recap, the steps (near as I can tell) are:
1. Create a PKCS#12 certificate from the server certificate, private key and the chain containing the CA's cert. I used openssl's pkcs12 command for this. 2. Import the CA's cert with "ipa-cacert-manage" 3. Use ip-server-certinstall to install the certificate bundle thing from step 1. This depends on step 2, because the CA must be trusted. 4. use "kinit" to get a Kerberos ticket. The argument to this is "admin in our case", because that's our administrative 5 Use "ipa-certupdate" to update the list of certificates and restart the services that need restarting.
Thanks for the help!
On Wed, Oct 07, 2020 at 03:58:19AM -0000, Chuck Musser via FreeIPA-users wrote:
ok got it. I did the kinit to do the update and was able to import the cert and update the certs collection.
It took several attempts and the above advice to get the right procedure, but to recap, the steps (near as I can tell) are:
- Create a PKCS#12 certificate from the server certificate, private key and the chain containing the CA's cert. I used openssl's pkcs12 command for this.
- Import the CA's cert with "ipa-cacert-manage"
- Use ip-server-certinstall to install the certificate bundle thing from step 1. This depends on step 2, because the CA must be trusted.
- use "kinit" to get a Kerberos ticket. The argument to this is "admin in our case", because that's our administrative
5 Use "ipa-certupdate" to update the list of certificates and restart the services that need restarting.
Thanks for the help!
You are welcome, Chuck.
Hey Rob and Flo, a quick thought: ipa-certupdate needs root always, so host keytab is available. Indeed, in ipa_certupdate.run_with_args() it (re-)kinit's with host keytab. Only API initialisation fails when running from CLI without latent, non-expired credentials (in ipa_certupdate.CertUpdate.run()).
Can we bootstrap the API using the host keytab instead, and avoid this error?
Cheers, Fraser
Fraser Tweedale wrote:
On Wed, Oct 07, 2020 at 03:58:19AM -0000, Chuck Musser via FreeIPA-users wrote:
ok got it. I did the kinit to do the update and was able to import the cert and update the certs collection.
It took several attempts and the above advice to get the right procedure, but to recap, the steps (near as I can tell) are:
- Create a PKCS#12 certificate from the server certificate, private key and the chain containing the CA's cert. I used openssl's pkcs12 command for this.
- Import the CA's cert with "ipa-cacert-manage"
- Use ip-server-certinstall to install the certificate bundle thing from step 1. This depends on step 2, because the CA must be trusted.
- use "kinit" to get a Kerberos ticket. The argument to this is "admin in our case", because that's our administrative
5 Use "ipa-certupdate" to update the list of certificates and restart the services that need restarting.
Thanks for the help!
You are welcome, Chuck.
Hey Rob and Flo, a quick thought: ipa-certupdate needs root always, so host keytab is available. Indeed, in ipa_certupdate.run_with_args() it (re-)kinit's with host keytab. Only API initialisation fails when running from CLI without latent, non-expired credentials (in ipa_certupdate.CertUpdate.run()).
Can we bootstrap the API using the host keytab instead, and avoid this error?
I filed an issue upstream, https://pagure.io/freeipa/issue/8531
rob
freeipa-users@lists.fedorahosted.org