[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Fri Apr 28 01:50:27 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
> On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
> 
> Master IPA Server: - I install 1 (one) server as master
> (self-signed) and add/modify using external CA. - I am using
> ipa-cacert-manage install then ipa-certupdate on master
> 
>> Hi,
> 
>> I think I got you wrong... Do you mean that you installed IPA
>> with an integrated IdM CA which was self-signed, then your intent
>> was to move to integrated IdM CA externally signed? In this case,
>> the right command would be ipa-cacert-manage renew --external-ca,
>> and the procedure is described in "Changing the certificate
>> chain" [1].

Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?

> 
>> The command ipa-cacert-manage install does not replace the
>> integrated IdM CA but adds the certificate as a known CA.
> 
>> Hope this clarifies, Flo
> 
>> [1] 
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
rt-chaining.html
>
>> 
> 
> Replica IPA Server: - I install 1 (one) server as client and
> promoted to ipa-replica: - I run `ipa-client-install` and
> autodiscovery - Then `ipa-replica-install --principal admin
> --admin-password <password>`
> 
> I've hit ipa-certupdate -v to verbose the logs (attached at first 
> email). Then replica server aren't using external CA(s) like master
> did.
> 
> So, I did the same like master, using `ipa-cacert-manage` on
> replica, and it's work fine. If it's normal, then thanks for
> clarifying this.
> 
> On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
>>>> Hi,
>>>> 
>>>> As your email refers to self-signed and signed CA
>>>> certificate, can you please clarify the exact steps that you
>>>> followed? It looks like - you first installed FreeIPA with a
>>>> self-signed CA - you added an external CA (did you use
>>>> ipa-cacert-manage install on 1 server then ipa-certupdate on
>>>> all replicas?) - you replaced the httpd/LDAP certificates
>>>> with a cert signed from the external CA (you probably ran
>>>> ipa-server-certinstall on one server).
>>>> 
>>>> In this case it is normal that the httpd/LDAP certificates on
>>>> the replica were not updated as they are different (each IPA
>>>> server has his own httpd/LDAP cert which contains the
>>>> hostname in its subject). You can check this by performing on
>>>> each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
>>>> -n Server-Cert | grep Subject: Subject:
>>>> "CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^
>>>> 
>>>> If the goal is to replace the httpd/LDAP certificates on the 
>>>> replica, the command ipa-server-certinstall must also be run
>>>> on the replica with the appropriate certificate.
>>>> 
>>>> HTH, Flo.
>>>> 
>>>> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
>>>> 
>>>> Just update, manually add external CA(s) and signed
>>>> certificated was successful, but why it's didn't
>>>> automatically transferred to replica(s) from master.
>>>> 
>>>> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>>>>>> Hello!
>>>>>>> 
>>>>>>> I've successfully create replica, everything works fine
>>>>>>> but why my signed CA certificate didn't automatically
>>>>>>> transfer to another replica(s)? Is it normal?
>>>>>>> 
>>>>>>> Trying to add manually, but the certificate in
>>>>>>> replica(s) still using self-signed. Here's the output
>>>>>>> from `ipa-certupdate -v` 
>>>>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
NdI
>
>>>>>>> 
GYh
>>>> 
>>>>>>> 
> yR
>>>>>>> 
>>>>>>> 
>>>> LivL9gydE=
>>>>>>> 
>>>>>>> Interesting line was :
>>>>>>> 
>>>>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external
>>>>>>> process ipa: DEBUG: args=/usr/bin/certutil -d
>>>>>>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
>>>>>>> finished, return code=255 ipa: DEBUG: stdout= ipa:
>>>>>>> DEBUG: stderr=certutil: Could not find cert: IPA CA :
>>>>>>> PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>> 
>>>>>>> ipa: DEBUG: Starting external process ipa: DEBUG: 
>>>>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
>>>>>>> CA cert -a ipa: DEBUG: Process finished, return
>>>>>>> code=255 ipa: DEBUG: stdout= ipa: DEBUG:
>>>>>>> stderr=certutil: Could not find cert: External CA cert
>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>> 
>>>>>>> FYI: The replica server previously was a client and
>>>>>>> promoted to be a replica by hitting this command: 
>>>>>>> `ipa-replica-install --principal admin
>>>>>>> --admin-password admin_password`
>>>>>>> 
>>>>>>> Any hints?
>>>>>>> 
>>>>> 
>>>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v
oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8
udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg
zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F
g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu
kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt
xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+
PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS
MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw==
=plyF
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list