Hi all,
I'm trying to setup a FreeIPA at home, and sign it with an external CA. The setup was fairly simple:
CA Chain:
depth=2 description=The mind of man can imagine nothing which has not really existed. - Edgar Allan Poe, CN = Finis Chaldea PKI Root G2, O = Finis Chaldea
depth=1 description=The mind of man can imagine nothing which has not really existed. - Edgar Allan Poe, CN = Unseen University PKI Root, O = Unseen University Archchancelor's Office
depth=0 CN = Unseen University PKI Octinity ,O =Unseen University, OU =Unseen University Archchancellor's Office
The CA 2 and 1 are on another generated on HSM, if it does matter. Both have OCSP and CRL URI.
CA 0 is the IPA's own CA.
I have overridden some of the pki configuraitons as follow:
``` # CA OVERRIDES
#/etc/ipa/override.ini
[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
[CA]
pki_ca_signing_key_size=nistp384
```
/etc/hosts:
192.168.88.99 ipa.lug.sh ipa
And hostname hat set to `ipa.lug.sh` already.
The installation was done by following commands:
```bash
$ export IPA_DOMAIN=lug.sh
$ export IPA-COMMON_NAME="CN=Unseen University PKI Octinity,O=Unseen University,OU=Unseen University Archchancellor's Office"
```
``` # Step ONE
ipa-server-install -U \
-n $( awk 'BEGIN {print tolower(ENVIRON["IPA_DOMAIN"])}' ) \
-r $( awk 'BEGIN {print toupper(ENVIRON["IPA_DOMAIN"])}' ) \
-a `pass ipa/admin` \
-p `pass ipa/dm` \
--ca-subject="${IPA_COMMON_NAME}" \
--setup-dns \
--no-forwarders --auto-reverse --allow-zone-overlap \
--pki-config-override=/etc/ipa/override.ini \
--external-ca
```
```Step TWO
ipa-server-install -U \
-n $( awk 'BEGIN {print tolower(ENVIRON["IPA_DOMAIN"])}' ) \
-r $( awk 'BEGIN {print toupper(ENVIRON["IPA_DOMAIN"])}' ) \
-a `pass ipa/admin` \
-p `pass ipa/dm` \
--ca-subject="${IPA_COMMON_NAME}" \
--setup-dns \
--no-forwarders --auto-reverse --allow-zone-overlap \
--pki-config-override=/etc/ipa/override.ini \
--external-cert-file=/root/ipa.pem
```
The installer chocked at:
[29/30]: adding 'ipa' CA entry
...
The ipa-server-install command failed, exception: InvalidSyntax: ipaCaIssuerDN: value #0 invalid per syntax: Invalid syntax.
...
Log file says:
(See attached for complete log. Please don't mind my previous attempts, as they are also included.)
...
ldap.NO_SUCH_OBJECT: {'desc': 'No such object', 'matched': 'cn=cas,cn=ca,dc=lug,dc=sh'}
...
ipalib.errors.NotFound: no such entry
...
ldap.INVALID_SYNTAX: {'desc': 'Invalid syntax', 'info': 'ipaCaIssuerDN: value #0 invalid per syntax\n'}
I also tried once without O= in the IPA_CA DN, but ends up the same.
Best Regards,
- lug