Hi Jonny, responses inline.
On Fri, Mar 08, 2019 at 06:16:14PM -0000, Jonny McCullagh via FreeIPA-users wrote:
I can install freeipa with ipa-server-install and no parameters fine.
However I want to be able to use IPA as a sub-CA. I have created root and intermediate CAs
using openssl and attempt to install ipa server with:
/usr/sbin/ipa-server-install --external-cert-file=/root/thisserver.domain.dev.cert.pem \
--external-cert-file=/root/intermediate.cert.pem \
--external-cert-file=/root/root-ca.cert.pem \
--external-ca -n domain.dev -r DOMAIN.DEV \
--hostname="thisserver.domain.dev" \
--subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \
--ds-password=topsecret --admin-password=opensesame
It stops at step 24 with the following message:
[20/28]: Configure HTTP to proxy connections
[21/28]: restarting certificate server
[22/28]: updating IPA configuration
[23/28]: enabling CA instance
[24/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to
'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR cannot connect to
'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
If I visit the address on port 8443 I do get an error I believe due to an empty
certificate. My browser shows:
Certificate path length constraint is invalid. Error code:
SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID
So I have a few questions if anyone can guide me:
1. Can I resume the install to complete the last 4 installation steps?
The path length constraint in one of the superior CA certificates is
being exceeded. There is nothing we can do about that; you'll have
to choose a different external CA to sign it. You may need to work
with your CA admins to work out a solution. If you are able, please
share the certificate chain and we can help analyse exactly where
the problem lies.
We should add a sanity check for this to prevent installation from
starting, and give a nice error explaining what the problem is. I
filed a ticket:
https://pagure.io/freeipa/issue/7877
2. How can I get the install to use a self-signed cert for the
http/ldap service OR can I supply a signed cert for that purpose?
Self-signed, no. Third party-signed, yes! See
ipa-server-install(1), in particular the following options:
--http-cert-file
--http-cert-name
--http-pin
--dirsrv-cert-file
--dirsrv-cert-name
--dirsrv-pin
But note, the HTTP certificate is used for port 443 (Apache), NOT
for 8443 (Tomcat; Dogtag PKI's HTTP API). There is no way to supply
a 3rd party cert for Dogtag/port 8443.
In any case, the pathLenConstraint, even if you could work around it
to get installation to complete, operationally it is a major problem
(i.e. nothing issued by your IPA CA will be trusted). It needs to
be resolved.
Cheers,
Fraser
> Thanks in advance.
>
> IPA version: 4.6.4-10.el7.centos.2.x86_64
> OS: CentOS 7.6
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...