On 08/30/2017 08:26 PM, Rob Morin wrote:
I ran this command firstly:
The G2 root CA from Geotrust website..........
[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt -t C,, install root_ca.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
Then, I ran....
[root@auth-1 certs]# ipa-certupdate trying https://auth-1.domain.com/ipa/session/json Forwarding 'ca_is_enabled' to json server 'https://auth-1.domain.com/ipa/session/json' Forwarding 'ca_find/1' to json server 'https://auth-1.domain.com/ipa/session/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful
Then i ran this command with intermediate cert..........
[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt_bundle -t C,, install star_domain_com_bundle.crt Installing CA certificate, please wait Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
The intermediate cert only has one cert in it....
SO i have 4 files; Intermediate cert: star_domain_bundle.crt Real cert : star_domain.crt Key : star_domain.key
I did try various combinations
cat star_domain_bundle.crt star_domain.crt >star_domain_combined.crt cat star_domain.crt star_domain_bundle.crt > star_domain_combined.crt cat root_ca.crt star_domain.crt star_domain_bundle.crt > star_domain_combined.crt cat star_domain.crt star_domain_bundle.crt root_ca.crt star > star_domain_combined.crt and so on...
Then i tried adding each one of those with the same command mentioned above, no go
What do i do now? Thanks!
Hi
(putting the mailing back in the recipients lsit) can you run ipa-cacert-manage install with the -v option and post the output? We will be able to see which certificates are already trusted and can be downloaded from LDAP.
Also, which IPA version are you using? Is your machine in SElinux enforcing mode?
Flo
On Mon, Aug 28, 2017 at 10:30 AM, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote: Hello all... So i have a wildcard cert from geotrust. I am running freeipa V4.4 fresh install no users yet I downloaded and installed their GeoTrust Primary Certification Authority root cert from here --> https://www.geotrust.com/resources/root-certificates/ <https://www.geotrust.com/resources/root-certificates/> I ran this command to import it... ipa-cacert-manage -p password -n httpcrt -t C,, install root_ca.crt I get back this ; Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful Then i go to install just the http cert for freeipa as dictated by company policy Then I run this... ipa-certupdate Then i go to add the cert like this... ipa-server-certinstall -w star_domain_com.key star_domain_com.crt Directory Manager password: Enter private key unlock password: I get this back.... The full certificate chain is not present in star_domain_com.key, star_domain_com.crt The ipa-server-certinstall command failed. So I combined the bundle and cert into one file, still a no go , i tried bot ways cert first then bundle, and bundle first then cert, still a no go. Any ideas? Thanks.. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Hi, is your http cert directly signed by the CA root_ca.crt, or does the cert chain contain additional certificates? In the latter case, you need to add each intermediate certificate with ipa-cacert-manage + ipa-certupdate before running ipa-server-certinstall. HTH, Flo
--
--
Rob Morin Montreal, Canada
The Lounge Sound - Music to drink by - Vegas Style!
"You're not drunk until you can't lie on the floor without holding on" Dean Martin
freeipa-users@lists.fedorahosted.org