rob
----------------------------
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef.
Geschäftsführer/Managing Director: Dirk Lieder
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen
und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten
Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind.
Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and
delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited.
Thank you.
Am 08.05.2020 um 23:42 schrieb Rob Crittenden <rcritten@redhat.com>:
Leusmann, Philipp wrote:
ghj,
Am 08.05.2020 um 22:21 schrieb Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>>:
Leusmann, Philipp via FreeIPA-users wrote:
Rob,
What command? The command should be a script or simple command. No pipes
or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k
fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘
I also tried calling a bash-script instead of the -C argument.
Doesn’t help
I created /usr/local/catcerts.sh with:
#!/bin/bash
#
# concatenate a server cert and the chain into a single file
cert=$1
chain=$2
target=$3
cat $cert $chain > $target
Then got a cert:
# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C
"/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt
/etc/pki/tls/certs/whole.pem"
And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.
Thanks for testing, here the same thing doesn’t work.
I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates.
Invoking manually works properly.
Any further idea on how to debug this?
As I said before, stop certmonger, find the IPA CA, add -v to the helper.
You'll get something like:
May 08 17:41:03 ipa.example.test certmonger[31599]: 2020-05-08 17:41:03
[31599] Adding hook "/usr/local/bin/catcerts.sh
/etc/pki/tls/certs/test.pem /etc/ipa/ca.crt
/etc/pki/tls/certs/whole.pem" (0).
I tested this on RHEL 7.7 and it worked for me.