[Freeipa-users] Re: Installing Third-Party Certificates-Help

[Polavarapu Manideep Sai via FreeIPA-users]

Hi Florence

As per your suggestion I have followed "Installing a CA Certificate Manually"  
guide

We are getting below error uoon executing

[root@central ~]# ipa-cacert-manage  install /tmp/Apache/1f1f7ab616938168.pem  
-v



ipa: DEBUG: importing plugin module ipaserver.plugins.whoami
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection 
context.ldap2_49475728
Installing CA certificate, please wait
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-IPA-ONMOBILE-COM.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4cdb170>
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -N -f 
/tmp/tmpW6jE9j/pwdfile.txt -f /tmp/tmpW6jE9j/pwdfile.txt
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n CN=*.ipa.example.com 
-t C,, -f /tmp/tmpW6jE9j/pwdfile.txt
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n IPA.EXAMPLE.COM IPA 
CA -t CT,C,C -f /tmp/tmpW6jE9j/pwdfile.txt
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection 
context.ldap2_49475728
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG:   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 
119, in run
    rc = self.install()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 
365, in install
    "troubleshooting guide)" % e)

ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The 
ipa-cacert-manage command failed, exception: ScriptError: Not a valid CA 
certificate: not a CA certificate (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Not a valid CA 
certificate: not a CA certificate (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The 
ipa-cacert-manage command failed.
[root@central~]#


Please guide us to proceed further


Regards
Sai
From: Florence Blanc-Renaud <f...@redhat.com>
Sent: 31 October 2022 19:12
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Polavarapu Manideep Sai <manideep....@onmobile.com>
Subject: Re: [Freeipa-users] Installing Third-Party Certificates-Help



CAUTION. This email originated from outside the organization. Please exercise 
caution before clicking on links or attachments in case of suspicion or unknown 
senders.


Hi,

On Sat, Oct 29, 2022 at 3:53 PM Polavarapu Manideep Sai via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
Hi Team,

We need your help or support

I have a master IPA server and 2 Replica IPA Servers, i want to install third 
party certificates in my setup

a. master.ipa.example.com<http://master.ipa.example.com>
b. replica1.ipa.example.com<http://replica1.ipa.example.com>
c. replica2.ipa.example.com<http://replica2.ipa.example.com>


1. Generated new CSR/wildcard certificate on master IPA server for the domain 
"*.ipa.example.com<http://ipa.example.com>" and shared to third party vendor 
and they have shared two zip files one for apache and other for tomcat as shown 
below, i see crt and pem files in zip files as shown below after unzip

a. _.ipa.onmobile.com_Apache.zip
b. _.ipa.onmobile.com_TOMCAT.zip

unzipped:

[root@dir01 tmp]# tree Apache/
Apache/
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
└── _.ipa.onmobile.com_Apache.zip

0 directories, 4 files


[root@dir01 tmp]# tree Tomcat/
Tomcat/
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
├── gdig2.crt.pem
└── _.ipa.onmobile.com_TOMCAT.zip

0 directories, 5 files


2. Followed the Redhat documentation but not understood which of the following 
one is applicable in my case for the received certificates

Installing Third-Party Certificates for HTTP or LDAP

Installing a CA Certificate Manually

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/third-party-certs-http-ldap


Can you please let us know the step by step procedure that how to install the 
certificates

The certificate that you received has been signed by the vendor's CA 
(Certificate Authority). This CA needs to be trusted by IPA, this is achieved 
by following the steps from "Installing a CA Certificate Manually".
Note that the vendor may provide you with a CA chain, in which case the 
top-level CA and all the intermediate CAs need to be trusted by IPA.

When the CA chain is trusted, you can then install the new certificate for 
apache, following "Installing Third-Party Certificates for HTTP or LDAP".

can you please also comment on below query

3. If i install the certificate will it get replaced in 
"/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv 
databases ?
/etc/pki/pki-tomcat/alias/
/etc/httpd/alias/
/etc/dirsrv/slapd-IPA-EXAMPLE-COM

It depends on which certificate you want to replace:
- If ipa-server-install is run with --http, the provided certificate will 
replace the Server-Cert in /etc/httpd/alias. This is the server certificate for 
Apache/httpd.
- If ipa-server-install is run with --dirsrv, the provided certificate will 
replace the Server-Cert in /etc/dirsrv/slapd-IPA-EXAMPLE-COM. This is the 
server certificate for the LDAP server.

The command does not replace the certificate in /etc/pki/pki-tomcat/alias/. 
This NSS database contains the certificates related to PKI (the Certificate 
Server for IPA).

The instructions from "Installing a CA Certificate Manually" add the CA chain 
in the 3 NSS databases you mentioned (they do not replace IPA CA but rather add 
new CA).

Hope this clarifies,
flo


Please let us know if any more details required


Sai

________________________________

DISCLAIMER: The information in this message is confidential and may be legally 
privileged. It is intended solely for the addressee. Access to this message by 
anyone else is unauthorized. If you are not the intended recipient, any 
disclosure, copying, or distribution of the message, or any action or omission 
taken by you in reliance on it, is prohibited and may be unlawful. Please 
immediately contact the sender if you have received this message in error. 
Further, this e-mail may contain viruses and all reasonable precaution to 
minimize the risk arising there from is taken by OnMobile. OnMobile is not 
liable for any damage sustained by you as a result of any virus in this e-mail. 
All applicable virus checks should be carried out by you before opening this 
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

________________________________

DISCLAIMER: The information in this message is confidential and may be legally 
privileged. It is intended solely for the addressee. Access to this message by 
anyone else is unauthorized. If you are not the intended recipient, any 
disclosure, copying, or distribution of the message, or any action or omission 
taken by you in reliance on it, is prohibited and may be unlawful. Please 
immediately contact the sender if you have received this message in error. 
Further, this e-mail may contain viruses and all reasonable precaution to 
minimize the risk arising there from is taken by OnMobile. OnMobile is not 
liable for any damage sustained by you as a result of any virus in this e-mail. 
All applicable virus checks should be carried out by you before opening this 
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue