On 08/30/2017 08:26 PM, Rob Morin wrote:
I ran this command firstly:
The G2 root CA from Geotrust website..........
[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt -t C,,
install root_ca.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
Then, I ran....
[root@auth-1 certs]# ipa-certupdate
trying
https://auth-1.domain.com/ipa/session/json
Forwarding 'ca_is_enabled' to json server
'https://auth-1.domain.com/ipa/session/json'
Forwarding 'ca_find/1' to json server
'https://auth-1.domain.com/ipa/session/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
Then i ran this command with intermediate cert..........
[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt_bundle -t
C,, install star_domain_com_bundle.crt
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's
Certificate issuer is not recognized. (visit
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
The intermediate cert only has one cert in it....
SO i have 4 files;
Intermediate cert: star_domain_bundle.crt
Real cert : star_domain.crt
Key : star_domain.key
I did try various combinations
cat star_domain_bundle.crt star_domain.crt >star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt > star_domain_combined.crt
cat root_ca.crt star_domain.crt star_domain_bundle.crt >
star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt root_ca.crt star >
star_domain_combined.crt
and so on...
Then i tried adding each one of those with the same command mentioned
above, no go
What do i do now?
Thanks!
Hi
(putting the mailing back in the recipients lsit)
can you run ipa-cacert-manage install with the -v option and post the
output? We will be able to see which certificates are already trusted
and can be downloaded from LDAP.
Also, which IPA version are you using? Is your machine in SElinux
enforcing mode?
Flo
On Mon, Aug 28, 2017 at 10:30 AM, Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote:
Hello all...
So i have a wildcard cert from geotrust.
I am running freeipa V4.4 fresh install no users yet
I downloaded and installed their GeoTrust Primary Certification
Authority root cert from here -->
https://www.geotrust.com/resources/root-certificates/
<
https://www.geotrust.com/resources/root-certificates/>
I ran this command to import it...
ipa-cacert-manage -p password -n httpcrt -t C,, install root_ca.crt
I get back this ;
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
Then i go to install just the http cert for freeipa as dictated
by company policy
Then I run this...
ipa-certupdate
Then i go to add the cert like this...
ipa-server-certinstall -w star_domain_com.key star_domain_com.crt
Directory Manager password:
Enter private key unlock password:
I get this back....
The full certificate chain is not present in
star_domain_com.key, star_domain_com.crt
The ipa-server-certinstall command failed.
So I combined the bundle and cert into one file, still a no go ,
i tried bot ways cert first then bundle, and bundle first then
cert, still a no go.
Any ideas?
Thanks..
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Hi,
is your http cert directly signed by the CA root_ca.crt, or does the
cert chain contain additional certificates? In the latter case, you
need to add each intermediate certificate with ipa-cacert-manage +
ipa-certupdate before running ipa-server-certinstall.
HTH,
Flo
--
--
Rob Morin
Montreal, Canada
The Lounge Sound - Music to drink by - Vegas Style!
http://www.theloungesound.ca
"You're not drunk until you can't lie on the floor without holding on"
Dean Martin