On 01/03/2014 04:13 PM, James Scollard wrote: > Thanks for the reply, > > Version: > > Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and > latest version... > > I'm not sure I understand the answer. > > I created the CSR and they signed it using their automation, and > returned the new ones to me for installation, which failed. > SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. > The node itself is xxxxx.sun.weather.com, we have a wildcard > certificate for sun.weather.com, and this domain controller needs the > certificate for the domain for setup to complete.
I think what Rob was trying to say is that a wild card certificate does not make sense for IPA as a server. AFAIU you are trying to chain to an external CA to become a sub CA. I would leave to the European team to reply on Monday morning in more details. In 3.3 a new feature was added to allow installing IPA using a cert provided by external CA may be this is what you are looking for instead of a sub CA? But again I would leave it till Monday for the European team to provide more tech details on what is going wrong here. Thanks Dmitri > > What am I doing wrong here? > > On 1/3/14 3:58 PM, Rob Crittenden wrote: >> James Scollard wrote: >>> When attempting to run the second part of the installation with an >>> external CA (Globalsign) using my signed certificate and CA certificate >>> chain I get the following; >>> >>> [root@ldapm6x00 ~]# ipa-server-install >>> --external_cert_file=/root/ldapm6x00.sun.weather.com.crt >>> --external_ca_file=/root/sun.weather.com.crt >>> >>> The log file for this installation can be found in >>> /var/log/ipaserver-install.log >>> Directory Manager password: >>> >>> Subject of the external certificate is not correct (got >>> CN=*.sun.weather.com,O=The Weather Channel Interactive\, >>> Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate >>> Authority,O=SUN.WEATHER.COM). >>> >>> CN= and O= are correct, so why is IPA refusing to use the certificate? >>> It appears to be expecting bogus data instead of using the provided >>> identity. This doesnt appear to be an issue with the certificate, >>> although I have never installed FreeIPA with a Globalsign >>> certificate. I >>> did nto see this problem with Network Solutions wildcard certificates >>> though. Any suggestions would be appreciated. >> >> This isn't related to the external CA, it just can't modify the >> subject of the IPA CA, which it did in this case. I'm not even >> entirely sure what it would mean to have the CA certificate itself be >> a wildcard cert. Doesn't seem to be a valid use-case though. >> >> Looks like this validation was added in in v3. >> >> rob >> > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
