[Freeipa-users] I think I lost my CA...
Bret Wortman
bret.wortman at damascusgrp.com
Wed Apr 26 12:35:36 UTC 2017
Good news. One of my servers _does_ have CA installed. So why does
"Action -> New Certificate" not do anything on this or any other server?
Bret
On 04/25/2017 02:52 PM, Bret Wortman wrote:
>
> I recently had to upgrade all my Fedora IPA servers to C7. It went
> well, and we've been up and running nicely on 4.4.0 on C7 for the past
> month or so.
>
> Today, someone came and asked me to generate a new certificate for
> their web server. All was good until I went to the IPA UI and tried to
> perform Actions->New Certificate, which did nothing. I tried each of
> our 3 servers in turn. All came back with no popup window and no
> error, either.
>
> I suspect the problem might be that we no longer have a CA server due
> to the method I used to upgrade the servers. I likely missed a
> "--setup-ca" in there somewhere, so my rolling update rolled over the CA.
>
> What's my best hope of recovery? I never ran this before, so I'm not
> sure if this shows that I'm missing a CA or not:
>
> # ipa ca-find
> ------------
> 1 CA matched
> ------------
> Name: ipa
> Description IPA CA
> Authority ID: 3ce3346[...]
> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
> ----------------------------
> Number of entries returned 1
> ----------------------------
> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
> O=DAMASCUSGRP.COM"
> ipa: ERROR: Failed to authenticate to CA REST API
> # klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: admin at DAMASCUSGRP.COM
>
> Valid starting Expires Service principal
> 04/25/2017 18:48:26 04/26/2017 18:48:21
> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM
> #
>
>
> What's my best path of recovery?
>
> --
> *Bret Wortman*
> The Damascus Group
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/962becf9/attachment.htm>
More information about the Freeipa-users
mailing list