On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote:

you can connect to IPA web UI on the server to revoke the cert: https://server.ipadomain.com/ipa/ui, then navigate to Authentication > Certificates, click on the certificate corresponding to the replica which failed installation (CN=<replica>,o=DOM...) and then Actions > Revoke Certificate (superseded).


Okay, this is just bloody stupid. It should NOT be that hard to build a bloody replica of an existing LDAP server. It's beyond insane. I revoked the certs of ipa1 off ipa0, built a new ipa-replica file on ipa0, copied to ipa1 and ran ipa-replica-install replica-info-ipa1.neonova.net.gpg --setup-ca and it FAILED AGAIN.

It seems the issue is that ipa1 can't find the GoDaddy supplied certs we are using for the web UI /only/. I expected that ALL certs would be replicated over, but apparently that would be FAR too convenient. It's silly crap like this that keeps LDAP from being anything more than a giant PITA and pushes people to not-centralize linux accounts outside of maybe AD (which in itself is sad).

The failure is exactly that as the previous 4 times I've tried this. Why isn't the GoDaddy signed certs 1) not being found despite being on the server and 2) not carried over in the ipa-replica-prepare package?

This really should be a straightforward process. The fact it isn't, and the documentation being called sparse would be an insult to that word, I'm at my wits end.

Does anyone have ANY ideas on why the GoDaddy signed certs aren't behaving?

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to