Rob Crittenden via FreeIPA-devel wrote: > Harald Dunkel via FreeIPA-devel wrote: >> repost on freeipa-devel: >> >> Hi folks, >> >> its always worth reading the code. >> >> ipa-client-install of freeipa 3.0.2 uses >> >> wget http://ipa1.example.de/ipa/config/ca.crt >> >> to grab the CA certificate. It seems that ipa-cacert-manage >> (CentOS 7.3) did not upgrade /usr/share/ipa/html/ca.crt on >> the servers when I migrated to the new root CA. Would anybody >> mind to fix? > > I opened https://pagure.io/freeipa/issue/7286 to track this.
Did you run ipa-certupdate after ipa-cacert-manage per the man page? rob > > rob > >> >> Thanx very much >> Harri >> >> On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote: >>> Hi folks, >>> >>> a few months ago I had replaced the externally signed root certificate >>> on my servers (CentOS 7.3) using ipa-cacert-manage. Problem: >>> ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy, >>> freeipa 3.0.2) fails. Apparently it stumbles over the old root >>> certificate: >>> >>> # ipa-client-install --domain=example.de --realm=EXAMPLE.DE --no-ssh >>> --no-sshd --no-ntp >>> Discovery was successful! >>> Hostname: pobde7i001.vs.example.de >>> Realm: EXAMPLE.DE >>> DNS Domain: example.de >>> IPA Server: ipa1.example.de >>> BaseDN: dc=example,dc=de >>> >>> Continue to configure the system with these values? [no]: yes >>> User authorized to enroll computers: admin >>> Synchronizing time with KDC... >>> Unable to sync time with IPA NTP server, assuming the time is in sync. >>> Please check that 123 UDP port is opened. >>> Password for ad...@example.de: Enrolled in IPA realm EXAMPLE.DE >>> Created /etc/ipa/default.conf >>> Domain example.de is already configured in existing SSSD config, >>> creating a new one. >>> The old /etc/sssd/sssd.conf is backed up and will be restored during >>> uninstall. >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm EXAMPLE.DE >>> trying https://ipa1.example.de/ipa/xml >>> cert validation failed for "CN=ipa1.example.de,O=example AG,C=DE" >>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been >>> marked as not trusted by the user.) >>> trying https://ipa2.example.de/ipa/xml >>> cert validation failed for "CN=ipa2.example.de,O=example AG,C=DE" >>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been >>> marked as not trusted by the user.) >>> Cannot connect to the server due to generic error: cannot connect to >>> Gettext('any of the configured servers', domain='ipa', >>> localedir=None): https://ipa1.example.de/ipa/xml, >>> https://ipa2.example.de/ipa/xml >>> Installation failed. Rolling back changes. >>> >>> >>> /etc/ipa/ca.crt on the client shows it somehow picked up the old >>> certificate. On the servers /etc/ipa/ca.crt is the new root cert. >>> "getcert list" on the servers shows only certificates based upon the >>> new root ca, too. I wonder where ipa-client-install picked up the >>> unwanted certificate? >>> >>> Of course I tried putting the new ca.crt into place before running >>> ipa-client-install, but it was overwritten. >>> >>> Of course there is no such problem for ipa 4.4.4 on Stretch. >>> >>> >>> Every heplful hint is highly appreciated >>> Harri >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-us...@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> >> _______________________________________________ >> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > _______________________________________________ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org