Hi folks,

its always worth reading the code.

ipa-client-install of freeipa 3.0.2 uses

        wget http://ipa1.example.de/ipa/config/ca.crt

to grab the CA certificate. It seems that ipa-cacert-manage
(CentOS 7.3) did not upgrade /usr/share/ipa/html/ca.crt on
the servers when I migrated to the new root CA. Would anybody
mind to fix?

Thanx very much
Harri

On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
> 
> a few months ago I had replaced the externally signed root 
> certificate on my servers (CentOS 7.3) using ipa-cacert-manage. 
> Problem: 
> 
> ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy,
> freeipa 3.0.2) fails. Apparently it stumbles over the old root 
> certificate:
> 
> # ipa-client-install --domain=example.de --realm=EXAMPLE.DE --no-ssh 
> --no-sshd --no-ntp
> Discovery was successful!
> Hostname: pobde7i001.vs.example.de
> Realm: EXAMPLE.DE
> DNS Domain: example.de
> IPA Server: ipa1.example.de
> BaseDN: dc=example,dc=de
> 
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
> check that 123 UDP port is opened.
> Password for ad...@example.de: 
> Enrolled in IPA realm EXAMPLE.DE
> Created /etc/ipa/default.conf
> Domain example.de is already configured in existing SSSD config, creating a 
> new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during 
> uninstall.
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.DE
> trying https://ipa1.example.de/ipa/xml
> cert validation failed for "CN=ipa1.example.de,O=example AG,C=DE" 
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as 
> not trusted by the user.)
> trying https://ipa2.example.de/ipa/xml
> cert validation failed for "CN=ipa2.example.de,O=example AG,C=DE" 
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as 
> not trusted by the user.)
> Cannot connect to the server due to generic error: cannot connect to 
> Gettext('any of the configured servers', domain='ipa', localedir=None): 
> https://ipa1.example.de/ipa/xml, https://ipa2.example.de/ipa/xml
> Installation failed. Rolling back changes.
> 
> 
> /etc/ipa/ca.crt on the client shows it somehow picked up the old 
> certificate. On the servers /etc/ipa/ca.crt is the new root cert. 
> "getcert list" on the servers shows only certificates based upon 
> the new root ca, too. I wonder where ipa-client-install picked up 
> the unwanted certificate?
> 
> Of course I tried putting the new ca.crt into place before running
> ipa-client-install, but it was overwritten.
> 
> Of course there is no such problem for ipa 4.4.4 on Stretch.
> 
> 
> Every heplful hint is highly appreciated
> Harri
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to