)
you mentioned that
subsystemCert cert-pki-ca would map to pkidbuser.
So the process is that dog-tag uses cert-pki-ca to establish a connection
to 389 DS , and 389 DS would use pkidbuser to bind and do LDAP queries
and other thing. ?
Thanks for your help.
On Thu, Jun 18, 2020 at 4:26 PM luckydog xf <luckydogxf(a)gmail.com> wrote:
Got it, thanks!
I add CA certs of Sectigo one by one to /etc/pki/pki-tomcat/alias/, now it
works.
Another thing, please confirm my statement below correct or not
-------
I changed Server-Cert to Sectigo's signed one (NOT Self-signed), so when
dog-tag tries to connect to 389 DS, it would check 389 DS certificate
(Server-Cert), meanwhile it also needs a CA to verify server-Cert.
My problem is that when dog-tat check its NSSDB(
/etc/pki/pki-tomcat/alias/ ), there is no CA of Sectigo available to
verify. So it complains:
*Peer's certificate issuer has been marked as not trusted by the user.*
------
Does my understanding correct or not ?
Appreciate your help.
On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote:
> > [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias
> >
> > [root@wocfreeipa ~]#
> >
> > [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca'
> >
> > [root@wocfreeipa ~]# grep internal /etc/pki/pki-tomcat/password.conf
> > internal=3Tm~ofzwXXXXXXXXXXXX
> >
> > [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b "" -s
> base
> > -Y EXTERNAL
> > Please enter pin, password, or pass phrase for security token
'ldap(0)':
> >
> > SASL/EXTERNAL authentication started
> > SASL username: cn=CA Subsystem,o=SAP.WINGON.HK <
http://SAP.WINGON.HK>
> > SASL SSF: 0
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <> with scope baseObject
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> >
> > #
> > dn:
> > objectClass: top
> > namingContexts: cn=changelog
> > namingContexts: dc=sap,dc=wingon,dc=hk
> > namingContexts: o=ipaca
> > supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> > 。。。。。。
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > It seems the connection established by Dogtag to 389 DS is correct.
> > But why dogtag complained "
> >
> > */Peer's certificate issuer has been marked as not trusted by the
> user./*
> > ?
> > Weird.
> Hi,
> Dogtag has its own NSSDB and each of the sectigo CA certs need to be
> present there, too:
> $ certutil -A -d /etc/pki/pki-tomcat/alias -n <nick> -t CT,C,C -a -i
> cert.pem
>
> HTH,
> flo
> >
> > On Thu, Jun 18, 2020 at 9:31 AM luckydog xf <luckydogxf(a)gmail.com
> > <mailto:luckydogxf@gmail.com>> wrote:
> >
> > The sad thing is that CA is expired on May 30, 2020. My IPA cannot
> > login in.
> >
> > So I used certutil to remove old CAs. Here are steps I used.
> > Unfortunately, I didn't try the step you mentioned.
> >
> > 1. certutil -d /etc/http/alias -D -n Server-Cert
> > certutil -d /etc/http/alias -D -n < Other CAs of Comodo>
> >
> > 2. Do the same thing against /etc/dirsrv/slapd-xxx
> >
> > 3. Add new certs and CAs by:
> >
> > cat server.key server.crt > server.all
> >
> > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all
> > -out Server-Cert.p12 -name "Server-Cert"
> >
> > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert
> >
> > 4. iptacl restart -f -d shows pki-tomcatd cannot start.
> > ---------
> > Internal Database Error encountered:_Could not connect to LDAP
> > server host wocfreeipa.sap.wingon.hk
> > <
http://wocfreeipa.sap.wingon.hk> port 636 _Error
> > netscape.ldap.LDAPException: Unable to create socket:
> > org.mozilla.jss.ssl.SSLSocketException:
> > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
> > (-8172) */Peer's certificate issuer has been marked as not trusted
> > by the user./* (-1)
> >
> > So what's wrong ?
> >
> >
> > -------------
> >
> >
> >
> > On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud
> > <flo(a)redhat.com <mailto:flo@redhat.com>> wrote:
> >
> > On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote:
> > > Hi, As state in
> >
>
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-...
> > >
> > > I cannot login in FreeIPA web page.
> > >
> > > So I update CA by :
> > >
> > > # delete everything except IPA CA of httpd and dirsrv
> > >
> > > certutil -d /etc/http/alias -D -n 'xxx'
> > >
> > > # ca-bundle.crt is 3 files named USERTrust, .etc.
> > >
> > > # server.all is an combination of my certificate signed by
> > Sectigo( fomerly named Comodo).
> > >
> > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in
> > server.all -out Server-Cert.p12 -name "Server-Cert"
> > >
> > > # add to httpd and dirsrv.
> > >
> > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n
> Server-Cert
> > >
> > > I restart all services by ipactl restart. But it seems
> > pki-tomcat fails to startup.
> > >
> > > #### log of ipactcl start ####
> > >
> > > Starting pki-tomcatd Service
> > > ipa: DEBUG: Starting external process
> > > ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target
> > > ipa: DEBUG: Process finished, return code=0
> > > ipa: DEBUG: request POST
> >
http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus
> > > ipa: DEBUG: request body ''
> > > ipa: DEBUG: response status 500
> > > ipa: DEBUG: response headers Server: Apache-Coyote/1.1
> > > Content-Type: text/html;charset=utf-8
> > > Content-Language: en
> > > Content-Length: 2208
> > > Date: Wed, 17 Jun 2020 09:13:19 GMT
> > > Connection: close
> > >
> > > ipa: DEBUG: response body
'<html><head><title>Apache
> > Tomcat/7.0.76 - Error report</title><style><!--H1
> > {font-family:Tahoma,Arial,sans-s
> > > ......
> > >
> > > ipa: DEBUG: Failed to check CA status: Retrieving CA status
> > failed with status 500
> > > ipa: DEBUG: Waiting until the CA is running
> > >
> > > #### END of log #####
> > >
> > >
> > > Here is log of pki-tomcat
> > >
> > > ###
> > > Internal Database Error encountered: Could not connect to
> > LDAP server host wocfreeipa.sap.wingon.hk
> > <
http://wocfreeipa.sap.wingon.hk> port 636 Error
> > netscape.ldap.LDAPException: Unable to create socket:
> > org.mozilla.jss.ssl.SSLSocketException:
> > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake
> > failed: (-8172) Peer's certificate issuer has been marked as not
> > trusted by the user. (-1)
> > >
> > > ###
> > >
> > > The point is ' Peer's certificate issuer has been marked
as
> > not trusted by the user.' As far as I know pki-tomcat needs a
> > certificate to bind to 389 DS and store information.
> > >
> > > But I didn't touch CA named 'IPA CA', so basically
> > pki-tomcatd could use its own certificate named 'substemCert
> > cert-pki-ca' to bind to 389 DS.
> > >
> > > Please help.
> > Hi,
> >
> > the new CA certs from Sectigo need to be installed with
> > ipa-cacert-manage install (the command uploads the certs in the
> > LDAP
> > database). For more information, please refer to "Installing a
> CA
> > Certificate Manually" [1].
> > As the chain contains multiple certs, you need to start from the
> > root
> > cert then go down the chain. When all the certs have been added,
> > don't
> > forget to run ipa-certupdate on all the IPA hosts (the command
> > downloads
> > the certs from LDAP and puts them in all the NSSDBs that need
> them).
> >
> > HTH,
> > flo
> >
> > [1]
> >
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> >
> > >
> > > Thanks a lot.
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> > <mailto:freeipa-users@lists.fedorahosted.org>
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
>