Hi All!
I'm trying to create a setup, ipa1(master) and ipa2(replica). I just added a self-signed certificate on master using the instructions from URL: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Distro: CentOS Version: 7.4.1708 (Core)
#rpm -qa | grep ipa ipa-server-common-4.5.0-21.el7.centos.1.2.noarch ipa-common-4.5.0-21.el7.centos.1.2.noarch python-ipaddress-1.0.16-2.el7.noarch python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch sssd-ipa-1.15.2-50.el7_4.2.x86_64 ipa-server-4.5.0-21.el7.centos.1.2.x86_64 python2-ipalib-4.5.0-21.el7.centos.1.2.noarch ipa-client-4.5.0-21.el7.centos.1.2.x86_64 ipa-client-common-4.5.0-21.el7.centos.1.2.noarch libipa_hbac-1.15.2-50.el7_4.2.x86_64 python-iniparse-0.4-9.el7.noarch python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
# rpm -qa | grep ipa libipa_hbac-1.15.2-50.el7_4.2.x86_64 python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch ipa-client-4.5.0-21.el7.centos.1.2.x86_64 ipa-server-common-4.5.0-21.el7.centos.1.2.noarch python-iniparse-0.4-9.el7.noarch python-ipaddress-1.0.16-2.el7.noarch python2-ipalib-4.5.0-21.el7.centos.1.2.noarch python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch ipa-common-4.5.0-21.el7.centos.1.2.noarch sssd-ipa-1.15.2-50.el7_4.2.x86_64 ipa-server-4.5.0-21.el7.centos.1.2.x86_64 ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
I just installed ipa-server on ipa1 without DNS(I have an external DNS already) and as the version from freeipa is 4.5.x and the domain level 1, I can't use the prepare anymore, I installed the client on ipa2 replica and used ipa-replica-install --setup-ca
2017-09-18T12:50:29Z DEBUG stderr= 2017-09-18T12:50:29Z DEBUG Starting external process 2017-09-18T12:50:29Z DEBUG args=/usr/bin/certutil -d /tmp/tmpYPFuns -A -n <DOMAIN-EDITED> IPA CA -t CT,C,C -f /tmp/tmpYPFuns/pwdfile.txt 2017-09-18T12:50:29Z DEBUG Process finished, return code=0 2017-09-18T12:50:29Z DEBUG stdout= 2017-09-18T12:50:29Z DEBUG stderr= 2017-09-18T12:50:29Z DEBUG Starting external process 2017-09-18T12:50:29Z DEBUG args=/usr/bin/certutil -d /tmp/tmpYPFuns -A -n <NICKNAME> -t C,, -f /tmp/tmpYPFuns/pwdfile.txt 2017-09-18T12:50:29Z DEBUG Process finished, return code=0 2017-09-18T12:50:29Z DEBUG stdout= 2017-09-18T12:50:29Z DEBUG stderr= 2017-09-18T12:50:29Z DEBUG Starting external process 2017-09-18T12:50:29Z DEBUG args=/usr/bin/PKCS12Export -d /tmp/tmpYPFuns -p /tmp/tmpYPFuns/pwdfile.txt -w /tmp/tmpYPFuns/crtpwfile -o /tmp/tmp6aSoiJipa/cacert.p12 2017-09-18T12:50:29Z DEBUG Process finished, return code=1 2017-09-18T12:50:29Z DEBUG stdout= 2017-09-18T12:50:29Z DEBUG stderr=SCHWERWIEGEND: Unable to export PKCS #12 file: java.io.IOException: IssuerAlternativeNameExtension: netscape.security.x509.GeneralNamesException: No data available in passed DER encoded value. 2017-09-18T12:50:29Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1461, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 205, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 246, in install_step_0 replica_config.dirman_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 208, in get_ca_keys self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 196, in __get_keys '-o', cacerts_file]) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run raise CalledProcessError(p.returncode, arg_string, str(output)) 2017-09-18T12:50:29Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/PKCS12Export -d /tmp/tmpYPFuns -p /tmp/tmpYPFuns/pwdfile.txt -w /tmp/tmpYPFuns/crtpwfile -o /tmp/tmp6aSoiJipa/cacert.p12' returned non-zero exit status 1 2017-09-18T12:50:29Z ERROR Command '/usr/bin/PKCS12Export -d /tmp/tmpYPFuns -p /tmp/tmpYPFuns/pwdfile.txt -w /tmp/tmpYPFuns/crtpwfile -o /tmp/tmp6aSoiJipa/cacert.p12' returned non-zero exit status 1 2017-09-18T12:50:29Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
When I check the files on /tmp, nothing there.
TIA.
Gab
Hi Gabriel,
Thanks for the detailed report. Did you deploy FreeIPA with the --external-ca option? Would you be able to provide a copy of the CA certificate for inspection? (Feel free to email me directly if you prefer not to attach it to the ticket).
--external-ca
No, I installed the certificates after the installation.
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt # ipa-certupdate # ipa-server-certinstall -w -d mysite.key mysite.crt # systemctl restart httpd.service # systemctl restart dirsrv@MY-REALM.servic
Yes, I would do it, where I can send it?
@gabrielstein my email address is ftweedal@redhat.com.
@gabrielstein the problem is that your CA certificate has an empty Issuer Alternative Name extension. Issuer Alt Name value is defined by RFC 5280 as:
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
But yours is an empty sequence, therefore the certificate is malformed. The FreeIPA master handles this OK, but the /usr/bin/PKCS12Export program, which is used during replica installation, does not.
/usr/bin/PKCS12Export
You should re-issue the CA certificate either without this extension, or with at least one issuer alt name. Use the same key, subject key identifier and Subject DN so that it will be regarded as the same CA and you will not need to re-issue any other certificates. Then you can import it using ipa-cacert-manage install and execute ipa-certupdate.
ipa-cacert-manage install
ipa-certupdate
After that, hopefully the replica installation will work!
Hi!
Thanks a lot!
I'm going on vacation now and I will test it on the beginning from October, I will use this time to think if it is better to change the CA or even create a new with SHA256/SHA512 and do it from beginning right.
All the best to down under!
Gabriel
@gabrielstein you can re-issue the CA cert with a new signature digest algorithm and it is still "the same CA". Only if you change the Subject DN, Subject Public Key Info or Subject Key Identitifer will things get complicated.
Enjoy your vacation and try not to spend too much time thinking about work :)
@ftweedal Hello!
Well, I'm back. It's hard to not thing about Problems being a Sysadmin. :)
I looked at my CA and after a analyse, I decided to make it new, because there another problems behind, like the maintainance(create/renew/revoke).
I will leave the old servers using the old CA and migrate it along the way.
My solution:
I installed a Datadog Instance to create the external certificates for Freeipa, and I would use Freeipa as a CA too(yes, I know, Freeipa includes Datadog).
The installation from both Freeipa worked perfectly, replication too.
I have some questions:
Should I use Freeipa as a CA too? Or I use only main Datadog Server to do that?
Can I use Datadog/Freeipa to manage E-Mail(MIME) Certificates too?
All the best!
@gabrielstein hi.
Should you use the FreeIPA CA or Dogtag? It is better to think about it this way: what does Dogtag offer that FreeIPA does not? Right now, the answer mostly boils down to: HSM, token processing, and more control over issuance workflow (e.g. request queues, agent roles, ability to issue certs to abitrary subject rather than only known principals in the FreeIPA DB, etc).
If you only want to issue certs to services/hosts/users recorded in FreeIPA, and you do not need HSM, then the FreeIPA CA will meet your needs.
Yes, you can issue S/MIME certificates with FreeIPA - you just need to create a custom profile to set the appropriate Extended Key Usage values, etc.
Based on our earlier discussion are you happy for me to close out this issue? You can direct any further questions to the freeipa-users@lists.fedorahosted.org mailing list.
Hi @ftweedal
Yes, you can close the issue. I will subscribe the maillist and I you ask there.
Metadata Update from @ftweedal: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.