Hi all,

 

I'm trying to setup a FreeIPA at home, and sign it with an external CA. The setup was fairly simple:

 

CA Chain:

depth=2 description=The mind of man can imagine nothing which has not really existed. - Edgar Allan Poe, CN = Finis Chaldea PKI Root G2, O = Finis Chaldea

depth=1 description=The mind of man can imagine nothing which has not really existed. - Edgar Allan Poe, CN = Unseen University PKI Root, O = Unseen University Archchancelor's Office

depth=0 CN = Unseen University PKI Octinity ,O =Unseen University, OU =Unseen University Archchancellor's Office

 

The CA  2 and 1 are on another generated on HSM, if it does matter. Both have OCSP and CRL URI.

CA 0 is the IPA's own CA.

 

I have overridden some of the pki configuraitons as follow:

 

``` # CA OVERRIDES

#/etc/ipa/override.ini

[DEFAULT]

ipa_key_algorithm=SHA256withEC

ipa_key_size=nistp384

ipa_key_type=ecc

ipa_signing_algorithm=SHA256withEC

 

[CA]

pki_ca_signing_key_size=nistp384

```

 

/etc/hosts:

192.168.88.99 ipa.lug.sh ipa

 

And hostname hat set to `ipa.lug.sh` already.

 

The installation was done by following commands:

 

```bash

$ export IPA_DOMAIN=lug.sh

$ export IPA-COMMON_NAME="CN=Unseen University PKI Octinity,O=Unseen University,OU=Unseen University Archchancellor's Office"

```

 

``` # Step ONE

ipa-server-install -U \

        -n $( awk 'BEGIN {print tolower(ENVIRON["IPA_DOMAIN"])}' ) \

        -r $( awk 'BEGIN {print toupper(ENVIRON["IPA_DOMAIN"])}' ) \

        -a `pass ipa/admin` \

        -p `pass ipa/dm` \

        --ca-subject="${IPA_COMMON_NAME}" \

        --setup-dns \

        --no-forwarders --auto-reverse --allow-zone-overlap \

        --pki-config-override=/etc/ipa/override.ini \

        --external-ca

```

 

```Step TWO

ipa-server-install -U \

        -n $( awk 'BEGIN {print tolower(ENVIRON["IPA_DOMAIN"])}' ) \

        -r $( awk 'BEGIN {print toupper(ENVIRON["IPA_DOMAIN"])}' ) \

        -a `pass ipa/admin` \

        -p `pass ipa/dm` \

        --ca-subject="${IPA_COMMON_NAME}" \

        --setup-dns \

        --no-forwarders --auto-reverse --allow-zone-overlap \

        --pki-config-override=/etc/ipa/override.ini \

        --external-cert-file=/root/ipa.pem

```

 

The installer chocked at:

  [29/30]: adding 'ipa' CA entry

…

The ipa-server-install command failed, exception: InvalidSyntax: ipaCaIssuerDN: value #0 invalid per syntax: Invalid syntax.

…

 

Log file says:

(See attached for complete log. Please don’t mind my previous attempts, as they are also included.)

…

ldap.NO_SUCH_OBJECT: {'desc': 'No such object', 'matched': 'cn=cas,cn=ca,dc=lug,dc=sh'}

…

ipalib.errors.NotFound: no such entry

…

ldap.INVALID_SYNTAX: {'desc': 'Invalid syntax', 'info': 'ipaCaIssuerDN: value #0 invalid per syntax\n'}

 

I also tried once without O= in the IPA_CA DN, but ends up the same.

 

Best Regards,

 

- lug