[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
West, Jani
jwest at iki.fi
Tue Feb 24 15:44:17 UTC 2015
Thank you for the tip,
Just created new /root/cacerts.p12. Should I import it to the CA somehow
or just restart the ipa server?
Will reset the new replicate vm to clean CentOS 7 installation without
any leftovers from ipa-replica-install.
--
-- Jani West
On 24.2.2015 17:06, Rob Crittenden wrote:
> West, Jani wrote:
>> Hi,
>>
>> Validity, status and serials seems to be fine. One interesting pick:
>> While the installation is not too old it might be installed initially
>> with FreeIpa 2.x That's why i have to use ldap port 7389 instead of
>> 398.
>>
>> # getcert list |grep expires
>> expires: 2016-11-21 13:40:41 UTC
>> expires: 2016-11-21 13:40:44 UTC
>> expires: 2016-11-21 13:40:41 UTC
>> expires: 2016-10-30 09:08:12 UTC
>> expires: 2016-10-30 09:07:12 UTC
>> expires: 2016-10-30 09:07:12 UTC
>> expires: 2016-10-30 09:07:12 UTC
>> expires: 2016-10-30 09:07:12 UTC
>> # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i
>> '(status|expires)'
>> status: MONITORING
>> expires: 2016-10-30 09:07:12 UTC
>> # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
>> Serial Number: 31 (0x1f)
>> # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca
>> description
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=ipara,ou=People,o=ipaca> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: description
>> #
>>
>> # ipara, people, ipaca
>> dn: uid=ipara,ou=people,o=ipaca
>> description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>
> I suspect you are bootstrapping the replica with expired certs. After
> the failed install the certs probably still exist on the replica in
> /var/lib/pki-ca/alias. Check the dates.
>
> I think you needsto refresh /root/cacerts.p12 on the master you are
> preparing the replica on. In newer IPA we regenerate this on-the-fly
> but
> it isn't in 3.0. Use PKCS12Export to do this.
>
> rob
More information about the Freeipa-users
mailing list