Hi All,
We are using our own (selfsigned) root CA for our installations. We just started to use ipa and after exploring the possibilities we want to switch to the root CA we normally use. According to [1] it should be done using these instruction [2]. When we tray to renew the certificate we get this error:
[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
[1] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi All,
We are using our own (selfsigned) root CA for our installations. We just started to use ipa and after exploring the possibilities we want to switch to the root CA we normally use. According to [1] it should be done using these instruction [2]. When we tray to renew the certificate we get this error:
[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to generate the CSR for submission to the new CA. Then you invoke `ipa-cacert-manage renew` a second time, supplying the new IPA CA certificate and superior CA certificate(s) via the `--external-cert-file` option.
If you did these steps, then please convey your certificates so we can inspect them and determine what the problem is.
Cheers, Fraser
Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale ftweedal@redhat.com wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi All,
We are using our own (selfsigned) root CA for our installations. We just started to use ipa and after exploring the possibilities we want to
switch
to the root CA we normally use. According to [1] it should be done
using
these instruction [2]. When we tray to renew the certificate we get this error:
[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to generate the CSR for submission to the new CA. Then you invoke `ipa-cacert-manage renew` a second time, supplying the new IPA CA certificate and superior CA certificate(s) via the `--external-cert-file` option.
If you did these steps, then please convey your certificates so we can inspect them and determine what the problem is.
Cheers, Fraser
Hi,
You can find the files at https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?usp...
Kind regards,
Wim Vinckier.
On Mon, 3 Sep 2018 at 07:42, Wim Vinckier wimpunk@gmail.com wrote:
Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale ftweedal@redhat.com wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi All,
We are using our own (selfsigned) root CA for our installations. We
just
started to use ipa and after exploring the possibilities we want to
switch
to the root CA we normally use. According to [1] it should be done
using
these instruction [2]. When we tray to renew the certificate we get
this
error:
[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to generate the CSR for submission to the new CA. Then you invoke `ipa-cacert-manage renew` a second time, supplying the new IPA CA certificate and superior CA certificate(s) via the `--external-cert-file` option.
If you did these steps, then please convey your certificates so we can inspect them and determine what the problem is.
Cheers, Fraser
-- I would love to change the world, but they wont give me the source code.
Can you check the format of the certificate? I have similar issues and in my case the certificate (and the chain) have the subject in printable format. FreeIPA issues the CSR with UTF and thus there is a mismatch. You can check the certificate like this:
openssl x509 -in ca-certificate.pem -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash
Hi,
We decided to follow this guide and just replace the certificate of the webserver and ldap: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It did what wanted to do, for now. Maybe we will switch the CA later on.
Kind regards,
Wim Vinckier.
On Wed, 5 Sep 2018 at 17:30, Wim Vinckier wimpunk@gmail.com wrote:
Hi,
You can find the files at https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?usp...
Kind regards,
Wim Vinckier.
On Mon, 3 Sep 2018 at 07:42, Wim Vinckier wimpunk@gmail.com wrote:
Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale ftweedal@redhat.com wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi All,
We are using our own (selfsigned) root CA for our installations. We
just
started to use ipa and after exploring the possibilities we want to
switch
to the root CA we normally use. According to [1] it should be done
using
these instruction [2]. When we tray to renew the certificate we get
this
error:
[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to generate the CSR for submission to the new CA. Then you invoke `ipa-cacert-manage renew` a second time, supplying the new IPA CA certificate and superior CA certificate(s) via the `--external-cert-file` option.
If you did these steps, then please convey your certificates so we can inspect them and determine what the problem is.
Cheers, Fraser
-- I would love to change the world, but they wont give me the source code.
-- I would love to change the world, but they wont give me the source code.
Hi Wim,
Sorry for delayed reply. I was on leave for a few weeks. Glad you reached a happy outcome.
It seems irrelevant now but FWIW I was not able to access the files on Google Drive.
Cheers, Fraser
On Wed, Sep 12, 2018 at 11:50:44AM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi,
We decided to follow this guide and just replace the certificate of the webserver and ldap: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It did what wanted to do, for now. Maybe we will switch the CA later on.
Kind regards,
Wim Vinckier.
On Wed, 5 Sep 2018 at 17:30, Wim Vinckier wimpunk@gmail.com wrote:
Hi,
You can find the files at https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?usp...
Kind regards,
Wim Vinckier.
On Mon, 3 Sep 2018 at 07:42, Wim Vinckier wimpunk@gmail.com wrote:
Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale ftweedal@redhat.com wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi All,
We are using our own (selfsigned) root CA for our installations. We
just
started to use ipa and after exploring the possibilities we want to
switch
to the root CA we normally use. According to [1] it should be done
using
these instruction [2]. When we tray to renew the certificate we get
this
error:
[root@ipa ~]# ipa-cacert-manage renew --external-cert-file=/root/Certificate_Authority.pem --external-cert-file=root.cer t Importing the renewed CA certificate, please wait CA certificate chain in /root/Certificate_Authority.pem, root.cert is incomplete: missing certificate with subject 'CN=Example SCRL' The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to generate the CSR for submission to the new CA. Then you invoke `ipa-cacert-manage renew` a second time, supplying the new IPA CA certificate and superior CA certificate(s) via the `--external-cert-file` option.
If you did these steps, then please convey your certificates so we can inspect them and determine what the problem is.
Cheers, Fraser
-- I would love to change the world, but they wont give me the source code.
-- I would love to change the world, but they wont give me the source code.
-- I would love to change the world, but they wont give me the source code.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Peter Tselios -
Wim Vinckier