Hi Flo,

On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
>
> I would try to remove the new root CA from LDAP and re-import it using 
> ipa-cacert-manage install -t C,,
> This should create the entry with the appropriate attributes.
>
> Flo
Result: The new root CA certificate shows much better attributes in ldap:

dn: cn=CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample 
AG\2CC\3DDE,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
ipaPublicKey:: MIICIjAN...
cACertificate;binary:: MIIGDTCC...
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example 
AG,C=DE;1


A lot of ipaKeyExtUsage attributes appear to be missing, though, compared to the
old root CA certificate. Is this expected?

ipa-certupdate failed:

# ipa-certupdate -v
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying 
https://ipa1.example.de/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection 
context.rpcclient_54790992
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: [try 1]: Forwarding 'schema' 
to json server 'https://ipa1.example.de/ipa/json'
ipa: DEBUG: New HTTP connection (ipa1.example.de)
ipa: DEBUG: HTTP connection destroyed (ipa1.example.de)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in 
single_request
    self.get_auth_info()
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in 
get_auth_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 578, in 
_handle_exception
    raise errors.TicketExpired()
TicketExpired: Ticket expired
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection 
context.rpcclient_54790992
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG:   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py", 
line 57, in run
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, in 
finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, in 
__do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, in 
load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, in 
packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 126, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 534, in get_package
    schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 385, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 409, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1116, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1092, in 
_call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in __request
    verbose=self.__verbose >= 3,
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in 
single_request
    self.get_auth_info()
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in 
get_auth_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 578, in 
_handle_exception
    raise errors.TicketExpired()

ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate 
command failed, exception: TicketExpired: Ticket expired
ipa.ipaclient.install.ipa_certupdate.CertUpdate: ERROR: Ticket expired
ipa.ipaclient.install.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate 
command failed.


Restarting ipa did not help. ???

Regards
Harri

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to