[Freeipa-users] IPA with external CA signed certs

James Masson james.masson at jmips.co.uk
Wed Oct 28 16:36:45 UTC 2015



On 26/10/15 16:11, Martin Kosek wrote:
> On 10/26/2015 04:05 PM, James Masson wrote:
>>
>>
>> On 19/10/15 21:06, Rob Crittenden wrote:
>>> James Masson wrote:
>>>>
>>>> Hi list,
>>>>
>>>> I successfully have IPA working with CA certs signed by an upstream Dogtag.
>>>>
>>>> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
>>>>
>>>> Setup fails, using the same 2 step IPA setup process as used with
>>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>>
>>>> Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
>>>
>>> I'm guessing you don't include the entire CA certchain of Vault. Dogtag
>>> is failing to startup because it can't verify its own cert chain:
>>>
>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>> CAPresence:  CA is present
>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>> SystemCertsVerification: system certs verification failure
>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>> SelfTestSubsystem: The CRITICAL self test plugin called
>>> selftests.container.instance.SystemCertsVerification running at startup
>>> FAILED!
>>>
>>> rob
>>>
>>
>>
>> Hi Rob,
>>
>> Thanks for the reply.
>>
>> I do present the IPA installer with both the CA and the IPA cert - the IPAs
>> python-based install code is happy with the cert chain, but the Java based
>> dogtag code chokes on it.
>>
>> OpenSSL is happy with it too.
>>
>> #####
>> [root at foo ~]# openssl verify ipa.crt
>> ipa.crt: O = LOCAL, CN = Certificate Authority
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>
>> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>> ipa.crt: OK
>> ###
>>
>> Any hints on how to reproduce this with more debug output? I'd like to know
>> exactly what Dogtag doesn't like about the certificate.
>>
>> thanks
>>
>> James M
>
> Let me CC at least Jan Ch. and David, they may be able to help and should also
> make sure FreeIPA gets better in validating the certs, as appropriate.
>

Any thoughts guys?

James M




More information about the Freeipa-users mailing list