I installed it yesterday with --dirsrv-cert-file, --http-cert-file and --no-pkinit, then added certificate authority (ipa-ca-install) and enabled pkinit (ipa-pkinit-manage enable)


On Fri, Mar 13, 2020 at 5:47 PM Peter Tselios via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,
I have a small project to install a FreeIPA cluster on CentOS 7.7.

We have our own CA and they provided me already with a private key and a certificate file for the servers.
My problem is that I cannot make ipa-server to install

The command I use is:

==================================
    ipa-server-install --realm "EXAMPLE.COM" -p 'mypassword' -a 'mypassword' \
    --hostname="freeipam.example.com" -n example.com --ip-address="10.1.8.24" \
    --dirsrv-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
    --dirsrv-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
    --dirsrv-pin='' \
    --http-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
    --http-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
    --http-pin='' \
    --pkinit-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
    --pkinit-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
    --pkinit-pin='' \
    --ca-cert-file=/etc/pki/ca-trust/source/anchors/Subordinate-CA.pem \
    --ca-cert-file=/etc/pki/ca-trust/source/anchors/External-CA.pem \
    --mkhomedir -N --no-host-dns --unattended

==================================

The problem is that I get this error:

-----------
The KDC certificate in /etc/pki/tls/certs/freeipam.example.com.crt, /etc/pki/tls/private/freeipam.example.com.pem is not valid: invalid for a KDC
-----------

Then I read this: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html and it was clear that I cannot use my certificates for the KDC in FreeIPA.
So, now the question is a bit different.
When I tried the above command without the pkinit certs lines, I got this error:

-----------
ipa-server-install: error: --dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file or --no-pkinit are required if any key file options are used.
-----------

This is in contrast with tthis document:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-server-external-ca

where it's clear that I **CAN** specify just the LDAP and HTTP certificates!!!!

How can I use my certificates for HTTP and LDAP but ask IPA to use it's self-signed certificates for KDC?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org