[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Tue Apr 25 08:56:39 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Master IPA Server:
- - I install 1 (one) server as master (self-signed) and add/modify
using external CA.
- - I am using ipa-cacert-manage install then ipa-certupdate on master

Replica IPA Server:
- - I install 1 (one) server as client and promoted to ipa-replica:
  - I run `ipa-client-install` and autodiscovery
  - Then `ipa-replica-install --principal admin --admin-password
<password>`

I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master did.

So, I did the same like master, using `ipa-cacert-manage` on replica,
and it's work fine. If it's normal, then thanks for clarifying this.

On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
> Hi,
> 
> As your email refers to self-signed and signed CA certificate, can
> you please clarify the exact steps that you followed? It looks
> like - you first installed FreeIPA with a self-signed CA - you
> added an external CA (did you use ipa-cacert-manage install on 1 
> server then ipa-certupdate on all replicas?) - you replaced the
> httpd/LDAP certificates with a cert signed from the external CA
> (you probably ran ipa-server-certinstall on one server).
> 
> In this case it is normal that the httpd/LDAP certificates on the 
> replica were not updated as they are different (each IPA server has
> his own httpd/LDAP cert which contains the hostname in its
> subject). You can check this by performing on each server: 
> ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert |
> grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" 
> ^^^^^^^^^
> 
> If the goal is to replace the httpd/LDAP certificates on the
> replica, the command ipa-server-certinstall must also be run on the
> replica with the appropriate certificate.
> 
> HTH, Flo.
> 
> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
> 
> Just update, manually add external CA(s) and signed certificated
> was successful, but why it's didn't automatically transferred to 
> replica(s) from master.
> 
> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>> 
>>>> I've successfully create replica, everything works fine but
>>>> why my signed CA certificate didn't automatically transfer to
>>>> another replica(s)? Is it normal?
>>>> 
>>>> Trying to add manually, but the certificate in replica(s)
>>>> still using self-signed. Here's the output from
>>>> `ipa-certupdate -v` 
>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI
GYh
>
>>>> 
yR
>>>> 
>>>> 
> LivL9gydE=
>>>> 
>>>> Interesting line was :
>>>> 
>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external process
>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n
>>>> IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa:
>>>> DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
>>>> cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
>>>> 
>>>> ipa: DEBUG: Starting external process ipa: DEBUG: 
>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA
>>>> cert -a ipa: DEBUG: Process finished, return code=255 ipa:
>>>> DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
>>>> cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not
>>>> found
>>>> 
>>>> FYI: The replica server previously was a client and promoted
>>>> to be a replica by hitting this command:
>>>> `ipa-replica-install --principal admin --admin-password
>>>> admin_password`
>>>> 
>>>> Any hints?
>>>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO
KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R
wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW
oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73
DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z
3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU
XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr
GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N
8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer
P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk
NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA==
=07Ri
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list