10:26 a.m.
Hi All,
We are using our own (selfsigned) root CA for our installations. We just
started to use ipa and after exploring the possibilities we want to switch
to the root CA we normally use. According to [1] it should be done using
these instruction [2]. When we tray to renew the certificate we get this
error:
[root@ipa ~]# ipa-cacert-manage renew
--external-cert-file=/root/Certificate_Authority.pem
--external-cert-file=root.cer
t
Importing the renewed CA certificate, please wait
CA certificate chain in /root/Certificate_Authority.pem, root.cert is
incomplete: missing certificate with subject 'CN=Example SCRL'
The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
[1]
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
--
I would love to change the world, but they wont give me the source code.
8:17 p.m.
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi All,
We are using our own (selfsigned) root CA for our installations. We just
started to use ipa and after exploring the possibilities we want to switch
to the root CA we normally use. According to [1] it should be done using
these instruction [2]. When we tray to renew the certificate we get this
error:
[root@ipa ~]# ipa-cacert-manage renew
--external-cert-file=/root/Certificate_Authority.pem
--external-cert-file=root.cer
t
Importing the renewed CA certificate, please wait
CA certificate chain in /root/Certificate_Authority.pem, root.cert is
incomplete: missing certificate with subject 'CN=Example SCRL'
The ipa-cacert-manage command failed.
When we check the subject of the file, it seems to be correct to me:
[root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
subject= /CN=Example SCRL
Is there anyone who can help me with this?
Kind regards,
wim vinckier.
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to
generate the CSR for submission to the new CA. Then you invoke
`ipa-cacert-manage renew` a second time, supplying the new IPA CA
certificate and superior CA certificate(s) via the
`--external-cert-file` option.
If you did these steps, then please convey your certificates so we
can inspect them and determine what the problem is.
Cheers,
Fraser
12:42 a.m.
Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time to
to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm
afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via
FreeIPA-users
wrote:
> Hi All,
>
> We are using our own (selfsigned) root CA for our installations. We just
> started to use ipa and after exploring the possibilities we want to
switch
> to the root CA we normally use. According to [1] it should be done
using
> these instruction [2]. When we tray to renew the certificate we get this
> error:
>
> [root@ipa ~]# ipa-cacert-manage renew
> --external-cert-file=/root/Certificate_Authority.pem
> --external-cert-file=root.cer
> t
> Importing the renewed CA certificate, please wait
> CA certificate chain in /root/Certificate_Authority.pem, root.cert is
> incomplete: missing certificate with subject 'CN=Example SCRL'
> The ipa-cacert-manage command failed.
>
> When we check the subject of the file, it seems to be correct to me:
>
> [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
> subject= /CN=Example SCRL
>
> Is there anyone who can help me with this?
>
> Kind regards,
>
> wim vinckier.
>
Dear Wim,
Did you first run `ipa-cacert-manage renew --external-ca` to
generate the CSR for submission to the new CA. Then you invoke
`ipa-cacert-manage renew` a second time, supplying the new IPA CA
certificate and superior CA certificate(s) via the
`--external-cert-file` option.
If you did these steps, then please convey your certificates so we
can inspect them and determine what the problem is.
Cheers,
Fraser
--
I would love to change the world, but they wont give me the source code.
10:30 a.m.
Hi,
You can find the files at
https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?...
Kind regards,
Wim Vinckier.
On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk(a)gmail.com> wrote:
Hi Fraser,
We did use the command twice. Once to generate the CSR and a second time
to to supply the new certificates.
I'll check with our security agent if I may supply the certificates. I'm
afraid I may not supply them because of the firm security policies.
Kind regards,
wim vinckier.
On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users
> wrote:
> > Hi All,
> >
> > We are using our own (selfsigned) root CA for our installations. We
> just
> > started to use ipa and after exploring the possibilities we want to
> switch
> > to the root CA we normally use. According to [1] it should be done
> using
> > these instruction [2]. When we tray to renew the certificate we get
> this
> > error:
> >
> > [root@ipa ~]# ipa-cacert-manage renew
> > --external-cert-file=/root/Certificate_Authority.pem
> > --external-cert-file=root.cer
> > t
> > Importing the renewed CA certificate, please wait
> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is
> > incomplete: missing certificate with subject 'CN=Example SCRL'
> > The ipa-cacert-manage command failed.
> >
> > When we check the subject of the file, it seems to be correct to me:
> >
> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
> > subject= /CN=Example SCRL
> >
> > Is there anyone who can help me with this?
> >
> > Kind regards,
> >
> > wim vinckier.
> >
> Dear Wim,
>
> Did you first run `ipa-cacert-manage renew --external-ca` to
> generate the CSR for submission to the new CA. Then you invoke
> `ipa-cacert-manage renew` a second time, supplying the new IPA CA
> certificate and superior CA certificate(s) via the
> `--external-cert-file` option.
>
> If you did these steps, then please convey your certificates so we
> can inspect them and determine what the problem is.
>
> Cheers,
> Fraser
>
--
I would love to change the world, but they wont give me the source code.
--
I would love to change the world, but they wont give me the source code.
5:13 a.m.
Can you check the format of the certificate?
I have similar issues and in my case the certificate (and the chain) have the subject in
printable format. FreeIPA issues the CSR with UTF and thus there is a mismatch.
You can check the certificate like this:
openssl x509 -in ca-certificate.pem -subject -issuer -nameopt multiline,show_type -noout
-subject_hash -issuer_hash
4:50 a.m.
Hi,
We decided to follow this guide and just replace the certificate of the
webserver and ldap:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It
did what wanted to do, for now. Maybe we will switch the CA later on.
Kind regards,
Wim Vinckier.
On Wed, 5 Sep 2018 at 17:30, Wim Vinckier <wimpunk(a)gmail.com> wrote:
Hi,
You can find the files at
https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?...
Kind regards,
Wim Vinckier.
On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk(a)gmail.com> wrote:
> Hi Fraser,
>
> We did use the command twice. Once to generate the CSR and a second time
> to to supply the new certificates.
>
> I'll check with our security agent if I may supply the certificates. I'm
> afraid I may not supply them because of the firm security policies.
>
> Kind regards,
>
> wim vinckier.
>
> On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>
>> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users
>> wrote:
>> > Hi All,
>> >
>> > We are using our own (selfsigned) root CA for our installations. We
>> just
>> > started to use ipa and after exploring the possibilities we want to
>> switch
>> > to the root CA we normally use. According to [1] it should be done
>> using
>> > these instruction [2]. When we tray to renew the certificate we get
>> this
>> > error:
>> >
>> > [root@ipa ~]# ipa-cacert-manage renew
>> > --external-cert-file=/root/Certificate_Authority.pem
>> > --external-cert-file=root.cer
>> > t
>> > Importing the renewed CA certificate, please wait
>> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is
>> > incomplete: missing certificate with subject 'CN=Example SCRL'
>> > The ipa-cacert-manage command failed.
>> >
>> > When we check the subject of the file, it seems to be correct to me:
>> >
>> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
>> > subject= /CN=Example SCRL
>> >
>> > Is there anyone who can help me with this?
>> >
>> > Kind regards,
>> >
>> > wim vinckier.
>> >
>> Dear Wim,
>>
>> Did you first run `ipa-cacert-manage renew --external-ca` to
>> generate the CSR for submission to the new CA. Then you invoke
>> `ipa-cacert-manage renew` a second time, supplying the new IPA CA
>> certificate and superior CA certificate(s) via the
>> `--external-cert-file` option.
>>
>> If you did these steps, then please convey your certificates so we
>> can inspect them and determine what the problem is.
>>
>> Cheers,
>> Fraser
>>
>
>
> --
> I would love to change the world, but they wont give me the source code.
>
--
I would love to change the world, but they wont give me the source code.
--
I would love to change the world, but they wont give me the source code.
11:06 p.m.
Hi Wim,
Sorry for delayed reply. I was on leave for a few weeks.
Glad you reached a happy outcome.
It seems irrelevant now but FWIW I was not able to access the files
on Google Drive.
Cheers,
Fraser
On Wed, Sep 12, 2018 at 11:50:44AM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi,
We decided to follow this guide and just replace the certificate of the
webserver and ldap:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It
did what wanted to do, for now. Maybe we will switch the CA later on.
Kind regards,
Wim Vinckier.
On Wed, 5 Sep 2018 at 17:30, Wim Vinckier <wimpunk(a)gmail.com> wrote:
> Hi,
>
> You can find the files at
>
https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?...
>
> Kind regards,
>
> Wim Vinckier.
>
> On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk(a)gmail.com> wrote:
>
>> Hi Fraser,
>>
>> We did use the command twice. Once to generate the CSR and a second time
>> to to supply the new certificates.
>>
>> I'll check with our security agent if I may supply the certificates.
I'm
>> afraid I may not supply them because of the firm security policies.
>>
>> Kind regards,
>>
>> wim vinckier.
>>
>> On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>>
>>> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users
>>> wrote:
>>> > Hi All,
>>> >
>>> > We are using our own (selfsigned) root CA for our installations. We
>>> just
>>> > started to use ipa and after exploring the possibilities we want to
>>> switch
>>> > to the root CA we normally use. According to [1] it should be done
>>> using
>>> > these instruction [2]. When we tray to renew the certificate we get
>>> this
>>> > error:
>>> >
>>> > [root@ipa ~]# ipa-cacert-manage renew
>>> > --external-cert-file=/root/Certificate_Authority.pem
>>> > --external-cert-file=root.cer
>>> > t
>>> > Importing the renewed CA certificate, please wait
>>> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is
>>> > incomplete: missing certificate with subject 'CN=Example SCRL'
>>> > The ipa-cacert-manage command failed.
>>> >
>>> > When we check the subject of the file, it seems to be correct to me:
>>> >
>>> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
>>> > subject= /CN=Example SCRL
>>> >
>>> > Is there anyone who can help me with this?
>>> >
>>> > Kind regards,
>>> >
>>> > wim vinckier.
>>> >
>>> Dear Wim,
>>>
>>> Did you first run `ipa-cacert-manage renew --external-ca` to
>>> generate the CSR for submission to the new CA. Then you invoke
>>> `ipa-cacert-manage renew` a second time, supplying the new IPA CA
>>> certificate and superior CA certificate(s) via the
>>> `--external-cert-file` option.
>>>
>>> If you did these steps, then please convey your certificates so we
>>> can inspect them and determine what the problem is.
>>>
>>> Cheers,
>>> Fraser
>>>
>>
>>
>> --
>> I would love to change the world, but they wont give me the source code.
>>
>
>
> --
> I would love to change the world, but they wont give me the source code.
>
--
I would love to change the world, but they wont give me the source code.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
2037
days inactive
2062
days old
freeipa-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Fraser Tweedale -
Peter Tselios -
Wim Vinckier