[Freeipa-users] IPA with external CA signed certs
James Masson
james.masson at jmips.co.uk
Mon Oct 26 15:05:18 UTC 2015
On 19/10/15 21:06, Rob Crittenden wrote:
> James Masson wrote:
>>
>> Hi list,
>>
>> I successfully have IPA working with CA certs signed by an upstream Dogtag.
>>
>> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
>>
>> Setup fails, using the same 2 step IPA setup process as used with
>> upstream Dogtag. I've also tried the external-ca-type option.
>>
>> Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
>
> I'm guessing you don't include the entire CA certchain of Vault. Dogtag
> is failing to startup because it can't verify its own cert chain:
>
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> CAPresence: CA is present
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> SystemCertsVerification: system certs verification failure
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> SelfTestSubsystem: The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
>
> rob
>
Hi Rob,
Thanks for the reply.
I do present the IPA installer with both the CA and the IPA cert - the
IPAs python-based install code is happy with the cert chain, but the
Java based dogtag code chokes on it.
OpenSSL is happy with it too.
#####
[root at foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate
[root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###
Any hints on how to reproduce this with more debug output? I'd like to
know exactly what Dogtag doesn't like about the certificate.
thanks
James M
More information about the Freeipa-users
mailing list