[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

Florence Blanc-Renaud flo at redhat.com
Wed Apr 26 13:08:55 UTC 2017 

On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello!
>
> Master IPA Server:
> - - I install 1 (one) server as master (self-signed) and add/modify
> using external CA.
> - - I am using ipa-cacert-manage install then ipa-certupdate on master
>
Hi,

I think I got you wrong...
Do you mean that you installed IPA with an integrated IdM CA which was 
self-signed, then your intent was to move to integrated IdM CA 
externally signed? In this case, the right command would be 
ipa-cacert-manage renew --external-ca, and the procedure is described in 
"Changing the certificate chain" [1].

The command ipa-cacert-manage install does not replace the integrated 
IdM CA but adds the certificate as a known CA.

Hope this clarifies,
Flo

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html

> Replica IPA Server:
> - - I install 1 (one) server as client and promoted to ipa-replica:
>   - I run `ipa-client-install` and autodiscovery
>   - Then `ipa-replica-install --principal admin --admin-password
> <password>`
>
> I've hit ipa-certupdate -v to verbose the logs (attached at first
> email). Then replica server aren't using external CA(s) like master did.
>
> So, I did the same like master, using `ipa-cacert-manage` on replica,
> and it's work fine. If it's normal, then thanks for clarifying this.
>
> On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> As your email refers to self-signed and signed CA certificate, can
>> you please clarify the exact steps that you followed? It looks
>> like - you first installed FreeIPA with a self-signed CA - you
>> added an external CA (did you use ipa-cacert-manage install on 1
>> server then ipa-certupdate on all replicas?) - you replaced the
>> httpd/LDAP certificates with a cert signed from the external CA
>> (you probably ran ipa-server-certinstall on one server).
>>
>> In this case it is normal that the httpd/LDAP certificates on the
>> replica were not updated as they are different (each IPA server has
>> his own httpd/LDAP cert which contains the hostname in its
>> subject). You can check this by performing on each server:
>> ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert |
>> grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
>> ^^^^^^^^^
>>
>> If the goal is to replace the httpd/LDAP certificates on the
>> replica, the command ipa-server-certinstall must also be run on the
>> replica with the appropriate certificate.
>>
>> HTH, Flo.
>>
>> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
>>
>> Just update, manually add external CA(s) and signed certificated
>> was successful, but why it's didn't automatically transferred to
>> replica(s) from master.
>>
>> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>>>> Hello!
>>>>>
>>>>> I've successfully create replica, everything works fine but
>>>>> why my signed CA certificate didn't automatically transfer to
>>>>> another replica(s)? Is it normal?
>>>>>
>>>>> Trying to add manually, but the certificate in replica(s)
>>>>> still using self-signed. Here's the output from
>>>>> `ipa-certupdate -v`
>>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI
> GYh
>>
>>>>>
> yR
>>>>>
>>>>>
>> LivL9gydE=
>>>>>
>>>>> Interesting line was :
>>>>>
>>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external process
>>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n
>>>>> IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa:
>>>>> DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
>>>>> cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>
>>>>> ipa: DEBUG: Starting external process ipa: DEBUG:
>>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA
>>>>> cert -a ipa: DEBUG: Process finished, return code=255 ipa:
>>>>> DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
>>>>> cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not
>>>>> found
>>>>>
>>>>> FYI: The replica server previously was a client and promoted
>>>>> to be a replica by hitting this command:
>>>>> `ipa-replica-install --principal admin --admin-password
>>>>> admin_password`
>>>>>
>>>>> Any hints?
>>>>>
>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
> f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO
> KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R
> wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW
> oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73
> DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z
> 3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU
> XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr
> GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N
> 8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer
> P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk
> NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA==
> =07Ri
> -----END PGP SIGNATURE-----
>

More information about the Freeipa-users mailing list