On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,

On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,

I would try to remove the new root CA from LDAP and re-import it using 
ipa-cacert-manage install -t C,,
This should create the entry with the appropriate attributes.

Flo
Result: The new root CA certificate shows much better attributes in ldap:

dn: cn=CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample 
AG\2CC\3DDE,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
ipaPublicKey:: MIICIjAN...
cACertificate;binary:: MIIGDTCC...
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example 
AG,C=DE;1


A lot of ipaKeyExtUsage attributes appear to be missing, though, compared to the
old root CA certificate. Is this expected?

The ipaKeyExtUsage attribute is built from the trust flags provided to ipa-cacert-manage install, so it looks normal for me.

ipa-certupdate failed:

# ipa-certupdate -v
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying 
https://ipa1.example.de/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection 
context.rpcclient_54790992
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: [try 1]: Forwarding 'schema' 
to json server 'https://ipa1.example.de/ipa/json'
ipa: DEBUG: New HTTP connection (ipa1.example.de)
ipa: DEBUG: HTTP connection destroyed (ipa1.example.de)
Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in 
single_request
     self.get_auth_info()
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in 
get_auth_info
     self._handle_exception(e, service=service)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 578, in 
_handle_exception
     raise errors.TicketExpired()
TicketExpired: Ticket expired
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection 
context.rpcclient_54790992
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG:   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
     return_value = self.run()
   File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py", 
line 57, in run
     api.finalize()
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, in 
finalize
     self.__do_if_not_done('load_plugins')
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, in 
__do_if_not_done
     getattr(self, name)()
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, in 
load_plugins
     for package in self.packages:
   File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, in 
packages
     ipaclient.remote_plugins.get_package(self),
   File 
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 
126, in get_package
     plugins = schema.get_package(server_info, client)
   File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 534, in get_package
     schema = Schema(client)
   File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 385, in __init__
     fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
   File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 409, in _fetch
     schema = client.forward(u'schema', **kwargs)['result']
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1116, in forward
     return self._call_command(command, params)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1092, in 
_call_command
     return command(*params)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call
     return self.__request(name, args)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in 
__request
     verbose=self.__verbose >= 3,
   File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
     return self.single_request(host, handler, request_body, verbose)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in 
single_request
     self.get_auth_info()
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in 
get_auth_info
     self._handle_exception(e, service=service)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 578, in 
_handle_exception
     raise errors.TicketExpired()

ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate 
command failed, exception: TicketExpired: Ticket expired
ipa.ipaclient.install.ipa_certupdate.CertUpdate: ERROR: Ticket expired
ipa.ipaclient.install.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate 
command failed.


Restarting ipa did not help. ???

ipa-certupdate needs to be run with a kerberos ticket. Did you run kinit admin before launching the command, and is your ticket still valid (klist will provide the expiration date)?

Flo.
Regards
Harri



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to