use "Self-signed CA certificate ? externally-signed CA certificate" method for both types (a and b) of CA cert. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html
Run ipa-certupdate
It fails in step "[3/5]: Importing RA Key" with:
run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 97, in fetch_key params={'type': 'kem', 'value': request}) File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get return request('get', url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request response = session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send raise SSLError(e, request=request) 2017-01-26T16:49:04Z DEBUG The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) 2017-01-26T16:49:04Z ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Workflow where first IPA server is installed with --external-ca right away works for CA cert issued by DogTag CA. We need to retest and fix issuing with AD CA - bug 1322963 or upstream #5799
Metadata Update from @pvoborni: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.5
master: * 16dac02 added ssl verification using IPA trust anchor ipa-4-4: * f784e33 added ssl verification using IPA trust anchor
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue close_status updated to: None
Metadata Update from @pvoborni: - Custom field affects_doc reset
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.