On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote:
> Mark Haney via FreeIPA-users wrote:
> > On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote:
> >>
> >> you can connect to IPA web UI on the server to revoke the cert:
> >> https://server.ipadomain.com/ipa/ui, then navigate to Authentication >
> >> Certificates, click on the certificate corresponding to the replica
> >> which failed installation (CN=<replica>,o=DOM...) and then Actions >
> >> Revoke Certificate (superseded).
> >>
> >> Flo
> > 
> > Okay, this is just bloody stupid. It should NOT be that hard to build a
> > bloody replica of an existing LDAP server.  It's beyond insane.  I
> > revoked the certs of ipa1 off ipa0, built a new ipa-replica file on
> > ipa0, copied to ipa1 and ran ipa-replica-install
> > replica-info-ipa1.neonova.net.gpg --setup-ca and it FAILED AGAIN.
> The cert revocation it not necessary but is a nice cleanup (you don't
> want copies of the cert floating around). Every time ipa-replica-prepare
> is run a new set of certs is issued.
> > It seems the issue is that ipa1 can't find the GoDaddy supplied certs we
> > are using for the web UI /only/.  I expected that ALL certs would be
> > replicated over, but apparently that would be FAR too convenient.  It's
> > silly crap like this that keeps LDAP from being anything more than a
> > giant PITA and pushes people to not-centralize linux accounts outside of
> > maybe AD (which in itself is sad).
> 1. IPA proxies the CA behind its web server so the server cert and CA
> chain are VERY important.
> 2. Blame freeIPA if anything, not LDAP.
> 3. This isn't a replication issue. From what I can tell from the replica
> log the CA chain is shipped over but for some reason the dogtag (CA)
> installer can't find them after a certain point.
> > The failure is exactly that as the previous 4 times I've tried this. 
> > Why isn't the GoDaddy signed certs 1) not being found despite being on
> > the server and 2) not carried over in the ipa-replica-prepare package?
> > 
> > This really should be a straightforward process.  The fact it isn't, and
> > the documentation being called sparse would be an insult to that word,
> > I'm at my wits end.
> > 
> > Does anyone have ANY ideas on why the GoDaddy signed certs aren't behaving?
> > 
> Providing the dogtag debug log might be helpful. The replica install log
> shows that the GoDaddy CA chain was imported and trusted reasonably
> (C,,) but the installer later claims it can't find them by nickname. I
> think we need Fraser to take a closer look as he's a dogtag developer.
> rob
Hi Mark,

Thank you for reporting your issue, for the information you have
provided and for bearing with us as we investigate it.  The CA is a
complex part of the FreeIPA system with many moving parts so it can
take a while to get to the bottom of things.

I am travelling this week though I hope to find some time to start
looking into this tomorrow.  Realistically I will not have a lot of
time to focus on this issue until next week.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to