Harald Dunkel via FreeIPA-devel wrote:
> repost on freeipa-devel:
> 
> Hi folks,
> 
> its always worth reading the code.
> 
> ipa-client-install of freeipa 3.0.2 uses
> 
>     wget http://ipa1.example.de/ipa/config/ca.crt
> 
> to grab the CA certificate. It seems that ipa-cacert-manage
> (CentOS 7.3) did not upgrade /usr/share/ipa/html/ca.crt on
> the servers when I migrated to the new root CA. Would anybody
> mind to fix?

I opened https://pagure.io/freeipa/issue/7286 to track this.

rob

> 
> Thanx very much
> Harri
> 
> On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote:
>> Hi folks,
>>
>> a few months ago I had replaced the externally signed root certificate
>> on my servers (CentOS 7.3) using ipa-cacert-manage. Problem:
>> ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy,
>> freeipa 3.0.2) fails. Apparently it stumbles over the old root
>> certificate:
>>
>> # ipa-client-install --domain=example.de --realm=EXAMPLE.DE --no-ssh
>> --no-sshd --no-ntp
>> Discovery was successful!
>> Hostname: pobde7i001.vs.example.de
>> Realm: EXAMPLE.DE
>> DNS Domain: example.de
>> IPA Server: ipa1.example.de
>> BaseDN: dc=example,dc=de
>>
>> Continue to configure the system with these values? [no]: yes
>> User authorized to enroll computers: admin
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>> Please check that 123 UDP port is opened.
>> Password for ad...@example.de: Enrolled in IPA realm EXAMPLE.DE
>> Created /etc/ipa/default.conf
>> Domain example.de is already configured in existing SSSD config,
>> creating a new one.
>> The old /etc/sssd/sssd.conf is backed up and will be restored during
>> uninstall.
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm EXAMPLE.DE
>> trying https://ipa1.example.de/ipa/xml
>> cert validation failed for "CN=ipa1.example.de,O=example AG,C=DE"
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked as not trusted by the user.)
>> trying https://ipa2.example.de/ipa/xml
>> cert validation failed for "CN=ipa2.example.de,O=example AG,C=DE"
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked as not trusted by the user.)
>> Cannot connect to the server due to generic error: cannot connect to
>> Gettext('any of the configured servers', domain='ipa',
>> localedir=None): https://ipa1.example.de/ipa/xml,
>> https://ipa2.example.de/ipa/xml
>> Installation failed. Rolling back changes.
>>
>>
>> /etc/ipa/ca.crt on the client shows it somehow picked up the old
>> certificate. On the servers /etc/ipa/ca.crt is the new root cert.
>> "getcert list" on the servers shows only certificates based upon the
>> new root ca, too. I wonder where ipa-client-install picked up the
>> unwanted certificate?
>>
>> Of course I tried putting the new ca.crt into place before running
>> ipa-client-install, but it was overwritten.
>>
>> Of course there is no such problem for ipa 4.4.4 on Stretch.
>>
>>
>> Every heplful hint is highly appreciated
>> Harri
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>>
> _______________________________________________
> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to