Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in

System Administration Team Mon, 27 Mar 2017 12:42:19 -0700


-----Original Message-----
From: Tomas Krizek [mailto:[email protected]] 
Sent: Monday, March 27, 2017 12:20 PM
To: System Administration Team <[email protected]>; Fraser Tweedale 
<[email protected]>
Cc: [email protected]
Subject: Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house 
rootCA : ERROR IPA CA certificate not found in


On 03/27/2017 06:19 PM, System Administration Team wrote:
> [root@ipa certs]# openssl req -in /root/ipa.csr -noout -text 
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: mail=<REMOVED>, C=US, ST=Mississippi, L=Starkville, 
> O=Camgian Microsystems, OU=IT, CN=Certificate Authority
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     <REMOVED FOR BREVITY>
>                 Exponent: 65537 (0x10001)
>         Attributes:
>         Requested Extensions:
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
>     Signature Algorithm: sha256WithRSAEncryption
>          <REMOVED FOR BREVITY>
> [root@ipa certs]#
>
> Sign ipa.csr
>
> root@rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose 
> -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in 
> /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using 
> configuration from openssl.cnf Enter pass phrase for 
> /root/ca/private/ca.key.pem:
> Check that the request matches the signature Signature ok Certificate Details:
>         Serial Number: 4099 (0x1003)
>         Validity
>             Not Before: Mar 27 15:49:18 2017 GMT
>             Not After : Mar 25 15:49:18 2027 GMT
>         Subject:
>             countryName               = US
>             stateOrProvinceName       = Mississippi
>             localityName              = Starkville
>             organizationName          = Camgian Microsystems
>             organizationalUnitName    = IT
>             commonName                = Certificate Authority
The signed certificate's Subject field seems to be missing the mail=<REMOVED>. 
Perhaps the signing rules do not permit this field?


I removed this field so it would not be archived in this list since I now get 
Porn Spam from Kim when I post to it. 


> [root@ipa certs]# ipa-server-install --domain=camgian.com 
> --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 
> 'OU=IT,O=Camgian 
> Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>' 
> --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem 
> --external-cert-file=/etc/pki/tls/certs/ca.cert.pem


I believe you can't force IPA to use a different subject at the second step of 
setting up external CA. I think it's only used to generate the CSR in the first 
step.

I have tried both ways....  

>From the logfile below it looks like it is picking up the CN from my ROOT CA 
>rather than the CN from IPA-SERVER-Install it looks like...

[root@ipa certs]# ipa-server-install 
--external-cert-file=/etc/pki/tls/certs/ipa.cert.pem 
--external-cert-file=/etc/pki/tls/certs/ca.cert.pem                             
                                                      
The log file for this installation can be found in 
/var/log/ipaserver-install.log
Directory Manager password:

==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA CA certificate not 
found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install 
command failed. See /var/log/ipaserver-install.log for more information
[root@ipa certs]#


FROM Log File:

2017-03-27T19:34:45Z DEBUG stderr=
2017-03-27T19:34:45Z DEBUG Starting external process
2017-03-27T19:34:45Z DEBUG args=/usr/bin/certutil -d /tmp/tmpHEVPYc -M -n 
E=<I_REMOVED_THIS>,CN=Camgian Microsystems Root CA,OU=IT,O=Camgian 
Microsystems,L=Starkville,ST=Mississippi,C=US -t C,,
2017-03-27T19:34:45Z DEBUG Process finished, return code=0
2017-03-27T19:34:45Z DEBUG stdout=
2017-03-27T19:34:45Z DEBUG stderr=
2017-03-27T19:34:45Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, 
in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, 
in validate
    for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, 
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, 
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, 
in _configure
    next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, 
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, 
in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, 
in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, 
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 1355, in main
    install_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 267, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 600, in install_check
    ca.install_check(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 73, in 
install_check
    options.external_cert_files, options.subject)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 1039, in load_external_cert
    "IPA CA certificate not found in %s" % (", ".join(files)))

2017-03-27T19:34:45Z DEBUG The ipa-server-install command failed, exception: 
ScriptError: IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, 
/etc/pki/tls/certs/ca.cert.pem
2017-03-27T19:34:45Z ERROR IPA CA certificate not found in 
/etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem
2017-03-27T19:34:45Z ERROR The ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information
[root@ipa certs]#



> ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA CA certificate 
> not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem
> ipa.ipapython.install.cli.install_tool(Server): ERROR    The 
> ipa-server-install command failed. See /var/log/ipaserver-install.log for 
> more information
The installation most likely fails because mail=<REMOVED> is expected to be a 
part of the signed certificate's subject field.

--
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in

Reply via email to