indeed, there has been a problem for a very long time. I think the problem happened at the time of the migration centos 6 to centos 7.
# ipa ca-show ipa ipa: ERROR: ipa: Certificate Authority Not Found how can I solve this little/big problem? thx Pierre Le 17/03/2018 à 15:04, Pierre Labanowski via FreeIPA-users a écrit : > > Thank you Rob for your answer, > > I have test solution 4, but the installation really goes out of order. > I do not want to remove from the host or even add a replica (same > thing with --dirsrv-cert-file and --http-cert-file options). > I got the following error: > 'certificate operation cannot be completed: Unable to communicate with > CMS ([Errno 111] Connection refused)' > > > then go to Solution 5 - Loss of information, backtracking: > > I restored a 15-day snapshot, which resulted in the loss of a new user > and a twenty-something password change. > - resynchronize with winsync users (change uid and gid on servers) > - Send a mail to users who have changed their password. (Synchronization) > > big panic in the information system. > > > I return to square one with a freeipa v4.4 and a big problem of > certificate > '' > Request ID '20161220171512': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://freeipa4.XXXXXX.XX:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > '' > > if you have an idea to replace the CA. I am really interrest > > thx > > Pierre > > > > > > -- > > Le 2018-03-13 14:33, Rob Crittenden a écrit : > >> Labanowski Pierre via FreeIPA-users wrote: >>> Hello, I'm confused with my freeipa setup. Some details on the >>> installation: - I use freeipa on only one server since 2012 (basic >>> install with a self-signed certificate ... KO from then 2014). - >>> meanwhile (a few years) I made a migration to switch to a version of >>> freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. >>> (the old freeipav3 server has been destroyed for a long time) - at >>> this time CA autorithy been lost ... but hey I do not use this >>> feature in freeipa v4, I'm not too worried. - I mainly use the ldap >>> (user, group, host, hbac, automount etc), and especially kerberos, >>> and also winsync (trust AD etc ...) - I never interressed at the >>> party certificate. - The HTTP and LDAP certificates of the server is >>> signed via an external authority not managed by freeipa. Only here I >>> wanted to add a 2nd server to replicate my single server freeipa, to >>> secure the system. And here the disaster begins for me ... because >>> the certificates block the process in all directions. I'm >>> considering several solutions: - Solution 1 (my favorite if it's >>> possible), that I started to try to do ... remove the CA and restart >>> from scratch on my master server before starting to replicate. I >>> made a: ipa-ca-install ----> KO CA is already installed on this host >>> THEN pkidestroy -s CA -i pki-tomcat ipa-getcert stop-tracking -i >>> ******** (certificate expired for several years) ipa-ca-install >>> ----> KO '' Run connection check to master Connection check OK Your >>> system may be partly configured. Run / usr / sbin / >>> ipa-server-install --uninstall to clean up. Unexpected error - see >>> /var/log/ipareplica-ca-install.log for details: HTTPError: 404 >>> Client Error: Not Found '' I tried enorment order I think have put >>> more basard than anything else that said ... :'( how i can erase all >>> traces of CA autority and reinstall with ipa-ca-install a new >>> autority and leave with a correct installation ? >> No. >> >> Chances are excellent that your original CA is now gone permanently >> given you ran pkidestroy. If you still have the cacert.p12 you at least >> have the original signing cert but given it was generated 6 years ago >> and all the subsystem certs are long-expired it would be an extra >> challenge to try to setup a replacement (for which there is a procedure >> defined by dogtag but we've never tried it). >>> - Solution 2 Add a replica server without CA autority and pass it >>> master and install a new CA autority! it's possible ? >> No. >>> - solution 3 make a new freeipa server from 0 - ipa-server-install - >>> import my ~ 600 users and ~ 50 hosts (service) - import my rules >>> HBAC - import my sudo rules - import the keys kerberos ... I'm >>> forgetting some things? and above all, is there a procedure to do >>> all this? It seems much more difficult, especially since it will >>> certainly be necessary to plan production stops for my services: >> IPA to IPA migration is theoretically possible but not something that is >> supported at the moment (we just never got around to working out all the >> details). It would involve exporting to ldif the current data, massaging >> it, and importing it into the new master. There be dragons. >> >> solution 4 >> >> Obtain an SSL certificate for the HTTP and LDAP service from the same >> place you got the certificates for your existing master for your new >> replica and use the --dirsrv-cert-file and --http-cert-file options to >> ipa-replica-install to pass them in. See the ipa-replica-install(1) man >> page for fuller details. >> >> rob > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
