Harald Dunkel via FreeIPA-devel wrote: > repost on freeipa-devel: > > Hi folks, > > its always worth reading the code. > > ipa-client-install of freeipa 3.0.2 uses > > wget http://ipa1.example.de/ipa/config/ca.crt > > to grab the CA certificate. It seems that ipa-cacert-manage > (CentOS 7.3) did not upgrade /usr/share/ipa/html/ca.crt on > the servers when I migrated to the new root CA. Would anybody > mind to fix?
I opened https://pagure.io/freeipa/issue/7286 to track this. rob > > Thanx very much > Harri > > On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote: >> Hi folks, >> >> a few months ago I had replaced the externally signed root certificate >> on my servers (CentOS 7.3) using ipa-cacert-manage. Problem: >> ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy, >> freeipa 3.0.2) fails. Apparently it stumbles over the old root >> certificate: >> >> # ipa-client-install --domain=example.de --realm=EXAMPLE.DE --no-ssh >> --no-sshd --no-ntp >> Discovery was successful! >> Hostname: pobde7i001.vs.example.de >> Realm: EXAMPLE.DE >> DNS Domain: example.de >> IPA Server: ipa1.example.de >> BaseDN: dc=example,dc=de >> >> Continue to configure the system with these values? [no]: yes >> User authorized to enroll computers: admin >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Please check that 123 UDP port is opened. >> Password for ad...@example.de: Enrolled in IPA realm EXAMPLE.DE >> Created /etc/ipa/default.conf >> Domain example.de is already configured in existing SSSD config, >> creating a new one. >> The old /etc/sssd/sssd.conf is backed up and will be restored during >> uninstall. >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm EXAMPLE.DE >> trying https://ipa1.example.de/ipa/xml >> cert validation failed for "CN=ipa1.example.de,O=example AG,C=DE" >> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been >> marked as not trusted by the user.) >> trying https://ipa2.example.de/ipa/xml >> cert validation failed for "CN=ipa2.example.de,O=example AG,C=DE" >> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been >> marked as not trusted by the user.) >> Cannot connect to the server due to generic error: cannot connect to >> Gettext('any of the configured servers', domain='ipa', >> localedir=None): https://ipa1.example.de/ipa/xml, >> https://ipa2.example.de/ipa/xml >> Installation failed. Rolling back changes. >> >> >> /etc/ipa/ca.crt on the client shows it somehow picked up the old >> certificate. On the servers /etc/ipa/ca.crt is the new root cert. >> "getcert list" on the servers shows only certificates based upon the >> new root ca, too. I wonder where ipa-client-install picked up the >> unwanted certificate? >> >> Of course I tried putting the new ca.crt into place before running >> ipa-client-install, but it was overwritten. >> >> Of course there is no such problem for ipa 4.4.4 on Stretch. >> >> >> Every heplful hint is highly appreciated >> Harri >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > _______________________________________________ > FreeIPA-devel mailing list -- email@example.com > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-devel mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org