[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
Florence Blanc-Renaud
flo at redhat.com
Tue Apr 25 07:52:27 UTC 2017
Hi,
As your email refers to self-signed and signed CA certificate, can you
please clarify the exact steps that you followed? It looks like
- you first installed FreeIPA with a self-signed CA
- you added an external CA (did you use ipa-cacert-manage install on 1
server then ipa-certupdate on all replicas?)
- you replaced the httpd/LDAP certificates with a cert signed from the
external CA (you probably ran ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on the
replica were not updated as they are different (each IPA server has his
own httpd/LDAP cert which contains the hostname in its subject). You can
check this by performing on each server:
ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep
Subject:
Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
^^^^^^^^^
If the goal is to replace the httpd/LDAP certificates on the replica,
the command ipa-server-certinstall must also be run on the replica with
the appropriate certificate.
HTH,
Flo.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello!
>
> Just update, manually add external CA(s) and signed certificated was
> successful, but why it's didn't automatically transferred to
> replica(s) from master.
>
> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I've successfully create replica, everything works fine but why my
>> signed CA certificate didn't automatically transfer to another
>> replica(s)? Is it normal?
>>
>> Trying to add manually, but the certificate in replica(s) still
>> using self-signed. Here's the output from `ipa-certupdate -v`
>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdIGYh
> yR
>>
>>
> LivL9gydE=
>>
>> Interesting line was :
>>
>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa:
>> DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a
>> ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA :
>> PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> ipa: DEBUG: Starting external process ipa: DEBUG:
>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a
>> ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> FYI: The replica server previously was a client and promoted to be
>> a replica by hitting this command: `ipa-replica-install
>> --principal admin --admin-password admin_password`
>>
>> Any hints?
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQI4BAEBCAAiBQJY+xccGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
> f9IgoCjNcJAHEACO4nF7guN05MjmqYFDwDrjhvWgMN2sRn+Nxt/aA+xziIOJJGaA
> Rr97TbODiTiefBkjVoiYM6dxr6VK5ViPZIbe0IAjafCRACAKggyCRtb2j8+vb7Jd
> imJN/MC0zSMCdATSs2b95uT7QrUiVHwt/xmKzJ44ezIYON+YOtgndk0QXynXHqjm
> H6HcQkh4ZcC8antiFdbC+H8z4Iv4Ypnhdr80RtqLqQ6esnZXnWdIg3X0aRb6w1fw
> KEDHemhfKeu5hMxpi2AQdesO4j+XhvW6TfvKymScbWv1PoEuLAsgQGdoxVmhkjN8
> LKixSghHlg8A61DXtA9J2uaPUUKjVMmoKH4CFD0RLQlQJ+f4KfApbNzHZTBnSL8D
> 64c5WjJdtAY5LUArakwZ/EJt5N5AJEFDIoSWM3if/jpDIVFEAaDzFKIQvyLKyMIn
> yHxNIcWcSoP/YwzZXMttWx5dNRkermmWEcvPsqovoT9BRlI/e700o3xqQk7V0720
> 7TniU1uZaBpLkJOxHUoWssaWfVHcWEBnw0UeU7bl4nKnAo7hkQs3/iJXwQiLk4aw
> 338ZIniIrDSmUmmfqJuhQrFPNK+heCOno5O/99Sa1bs0lTQgRRjMq5Q7mIajEYYI
> NedyVj0VQ8R42rbgomWJPJP/uU+kirN8CpEc+d/IWNQE2t+5hOX5nme5dw==
> =anzk
> -----END PGP SIGNATURE-----
>
More information about the Freeipa-users
mailing list