On 08/08/2017 02:31 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,

On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:

Hi,

You can follow the steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext

ipa-cacert-manage renew --external-ca will create a CSR file that can be
sent to the new certificate authority. You will then receive a new cert
for IPA + a new CA chain that will be used in ipa-cacert-manage renew
--external-cert-file.

HTH,
Flo

This appears to be a very precise documentation, but if you look
closely then you get


# ssh root@ipaclient1
# ipa-certupdate
trying https://ipa2.example.com/ipa/json
Forwarding 'schema' to json server 'https://ipa2.example.com/ipa/json'
trying https://ipa2.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://ipa2.example.com/ipa/json'
Forwarding 'ca_find/1' to json server 'https://ipa2.example.com/ipa/json'
Systemwide CA database updated.
The ipa-certupdate command was successful

# certutil -L -d /etc/pki/pki-tomcat/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.


This is *before* I installed the new certificate. I get this with
freeipa 4.4.0 on CentOS 7.3 and 4.4.4 on Debian.

Doesn't look very reliable, does it? Thats my concern. Not to
mention that /etc/pki/pki-tomcat/alias doesn't even exist, so
I wonder what did ipa-certupdate do?

???
Hi,

- on an IPA client, ipa-certupdate updates the /etc/ipa/nssdb NSS database and /etc/ipa/ca.crt - on an IPA server, ipa-certupdate additionally updates /etc/httpd/alias (used by HTTP server for the webUI), /etc/dirsrc/slapdxxx (used by the LDAP server) and /etc/pki/pki-tomcat/alias if the CA component is installed.

It looks like the certutil command was executed on a client, and /etc/pki/pki-tomcat/alias is present only on masters with the CA component.

Maybe the doc is misleading and should be more precise (for instance, specify that the "certutil -L -d /etc/pki/pki-tomcat/alias" cmd should be run on a IPA master with CA)? Feel free to open a documentation issue in this case, we are always welcoming suggestions to improve our product/documentation quality.

Hope this clarifies,
Flo


Every helpful comment is highly appreciated.
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to