[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Fri Apr 28 01:50:27 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
> On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
>
> Master IPA Server: - I install 1 (one) server as master
> (self-signed) and add/modify using external CA. - I am using
> ipa-cacert-manage install then ipa-certupdate on master
>
>> Hi,
>
>> I think I got you wrong... Do you mean that you installed IPA
>> with an integrated IdM CA which was self-signed, then your intent
>> was to move to integrated IdM CA externally signed? In this case,
>> the right command would be ipa-cacert-manage renew --external-ca,
>> and the procedure is described in "Changing the certificate
>> chain" [1].
Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?
>
>> The command ipa-cacert-manage install does not replace the
>> integrated IdM CA but adds the certificate as a known CA.
>
>> Hope this clarifies, Flo
>
>> [1]
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
rt-chaining.html
>
>>
>
> Replica IPA Server: - I install 1 (one) server as client and
> promoted to ipa-replica: - I run `ipa-client-install` and
> autodiscovery - Then `ipa-replica-install --principal admin
> --admin-password <password>`
>
> I've hit ipa-certupdate -v to verbose the logs (attached at first
> email). Then replica server aren't using external CA(s) like master
> did.
>
> So, I did the same like master, using `ipa-cacert-manage` on
> replica, and it's work fine. If it's normal, then thanks for
> clarifying this.
>
> On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
>>>> Hi,
>>>>
>>>> As your email refers to self-signed and signed CA
>>>> certificate, can you please clarify the exact steps that you
>>>> followed? It looks like - you first installed FreeIPA with a
>>>> self-signed CA - you added an external CA (did you use
>>>> ipa-cacert-manage install on 1 server then ipa-certupdate on
>>>> all replicas?) - you replaced the httpd/LDAP certificates
>>>> with a cert signed from the external CA (you probably ran
>>>> ipa-server-certinstall on one server).
>>>>
>>>> In this case it is normal that the httpd/LDAP certificates on
>>>> the replica were not updated as they are different (each IPA
>>>> server has his own httpd/LDAP cert which contains the
>>>> hostname in its subject). You can check this by performing on
>>>> each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
>>>> -n Server-Cert | grep Subject: Subject:
>>>> "CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^
>>>>
>>>> If the goal is to replace the httpd/LDAP certificates on the
>>>> replica, the command ipa-server-certinstall must also be run
>>>> on the replica with the appropriate certificate.
>>>>
>>>> HTH, Flo.
>>>>
>>>> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
>>>>
>>>> Just update, manually add external CA(s) and signed
>>>> certificated was successful, but why it's didn't
>>>> automatically transferred to replica(s) from master.
>>>>
>>>> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>>>>>> Hello!
>>>>>>>
>>>>>>> I've successfully create replica, everything works fine
>>>>>>> but why my signed CA certificate didn't automatically
>>>>>>> transfer to another replica(s)? Is it normal?
>>>>>>>
>>>>>>> Trying to add manually, but the certificate in
>>>>>>> replica(s) still using self-signed. Here's the output
>>>>>>> from `ipa-certupdate -v`
>>>>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
NdI
>
>>>>>>>
GYh
>>>>
>>>>>>>
> yR
>>>>>>>
>>>>>>>
>>>> LivL9gydE=
>>>>>>>
>>>>>>> Interesting line was :
>>>>>>>
>>>>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external
>>>>>>> process ipa: DEBUG: args=/usr/bin/certutil -d
>>>>>>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
>>>>>>> finished, return code=255 ipa: DEBUG: stdout= ipa:
>>>>>>> DEBUG: stderr=certutil: Could not find cert: IPA CA :
>>>>>>> PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>>
>>>>>>> ipa: DEBUG: Starting external process ipa: DEBUG:
>>>>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
>>>>>>> CA cert -a ipa: DEBUG: Process finished, return
>>>>>>> code=255 ipa: DEBUG: stdout= ipa: DEBUG:
>>>>>>> stderr=certutil: Could not find cert: External CA cert
>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>>
>>>>>>> FYI: The replica server previously was a client and
>>>>>>> promoted to be a replica by hitting this command:
>>>>>>> `ipa-replica-install --principal admin
>>>>>>> --admin-password admin_password`
>>>>>>>
>>>>>>> Any hints?
>>>>>>>
>>>>>
>>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v
oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8
udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg
zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F
g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu
kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt
xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+
PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS
MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw==
=plyF
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list