Skip to content

Instantly share code, notes, and snippets.

@johnseekins

johnseekins/1. Server Install

Last active March 5, 2018 17:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save johnseekins/d1a117c568f7895ec0e7fa588aba745d to your computer and use it in GitHub Desktop.
Save johnseekins/d1a117c568f7895ec0e7fa588aba745d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
1. Server Install
[root@ops-freeipa-devops-1 ec2-user]# ipa-server-install --mkhomedir -NU --ca-cert-file=/mnt/certs/rootCA.pem --dirsrv-cert-file=/mnt/certs/ops-freeipa-devops-1.dm.lan.pem --http-cert-file=/mnt/certs/ops-freeipa-devops-1.dm.lan.pem --no-pkinit --dirsrv-pin='' --http-pin='' -p <DS password> -a <admin password> -n DM.LAN -r DM.LAN
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
Excluded by options:
* Configure the Network Time Daemon (ntpd)
...
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
3. Kerberos requires time synchronization between clients
and servers for correct operation. You should consider enabling ntpd.
In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
Raw
2. CA Install
[root@ops-freeipa-devops-1 ec2-user]# ipa-ca-install -P admin -p <DS password> -w <admin password>
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
[2/29]: exporting Dogtag certificate store pin
[3/29]: stopping certificate server instance to update CS.cfg
[4/29]: backing up CS.cfg
[5/29]: disabling nonces
[6/29]: set up CRL publishing
[7/29]: enable PKIX certificate path discovery and validation
[8/29]: starting certificate server instance
[9/29]: configure certmonger for renewals
[10/29]: requesting RA certificate from CA
[11/29]: setting up signing cert profile
[12/29]: setting audit signing renewal to 2 years
[13/29]: restarting certificate server
[14/29]: publishing the CA certificate
[15/29]: adding RA agent as a trusted user
[16/29]: authorizing RA to modify profiles
[17/29]: authorizing RA to manage lightweight CAs
[18/29]: Ensure lightweight CAs container exists
[19/29]: configure certificate renewals
[20/29]: configure Server-Cert certificate renewal
[21/29]: Configure HTTP to proxy connections
[22/29]: restarting certificate server
[23/29]: updating IPA configuration
[24/29]: enabling CA instance
[25/29]: migrating certificate profiles to LDAP
[26/29]: importing IPA certificate profiles
[27/29]: adding default CA ACL
[28/29]: adding 'ipa' CA entry
[29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Raw
Apache log errors
[Thu Mar 01 20:35:43.037230 2018] [:error] [pid 27289] Bad remote server certificate: -8172
[Thu Mar 01 20:35:43.037240 2018] [:error] [pid 27289] SSL Library Error: -8172 Certificate is signed by an untrusted issuer
[Thu Mar 01 20:35:43.037249 2018] [:error] [pid 27289] SSL Library Error: -8172 Certificate is signed by an untrusted issuer
[Thu Mar 01 20:35:43.037945 2018] [:error] [pid 27289] Bad remote server certificate: -8172
[Thu Mar 01 20:35:43.037954 2018] [:error] [pid 27289] SSL Library Error: -8172 Certificate is signed by an untrusted issuer
[Thu Mar 01 20:35:46.404513 2018] [:warn] [pid 27286] [client 172.29.26.66:54878] failed to set perms (3140) on file (/var/run/ipa/ccaches/jseekins@DM.LAN)!, referer: https://ops-freeipa-devops-1.dm.lan/ipa/ui/
[Thu Mar 01 20:35:46.483586 2018] [:error] [pid 27685] Bad remote server certificate: -8172
[Thu Mar 01 20:35:46.483604 2018] [:error] [pid 27685] SSL Library Error: -8172 Certificate is signed by an untrusted issuer
[Thu Mar 01 20:35:46.483650 2018] [:error] [pid 27685] Re-negotiation handshake failed: Not accepted by client!?
Raw
Cert Management
[root@ops-freeipa-devops-1 ec2-user]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=Master,L=Bozeman,ST=Montana,C=US C,,
CN=ops-freeipa-devops-1.dm.lan,L=Bozeman,ST=Montana,C=US u,u,u
[root@ops-freeipa-devops-1 ec2-user]# certutil -L -d /etc/dirsrv/slapd-DM-LAN/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=Master,L=Bozeman,ST=Montana,C=US C,,
CN=ops-freeipa-devops-1.dm.lan,L=Bozeman,ST=Montana,C=US u,u,u
DM.LAN IPA CA CT,C,C
Raw
Fix
[root@ops-freeipa-devops-1 ec2-user]# certutil -d /etc/httpd/alias/ -A -t "CT,C,C" -n DM.LAN -i /etc/ipa/ca.crt
[root@ops-freeipa-devops-1 ec2-user]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=ops-freeipa-devops-1.dm.lan,L=Bozeman,ST=Montana,C=US u,u,u
CN=Master,L=Bozeman,ST=Montana,C=US C,,
DM.LAN CT,C,C
[root@ops-freeipa-devops-1 ec2-user]# systemctl restart ipa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment