On Tue, Mar 20, 2018 at 03:24:58PM +0100, Pierre Labanowski via FreeIPA-users wrote: > > indeed, there has been a problem for a very long time. I think the > problem happened at the time of the migration centos 6 to centos 7. > > # ipa ca-show ipa > ipa: ERROR: ipa: Certificate Authority Not Found > > how can I solve this little/big problem? > > thx > Pierre > Hi Pierre,
Please run ipa-server-upgrade. It should notice the missing entry and add it. If not, please provide the /var/log/ipaupgrade.log and we can try and diagnose the issue. Cheers, Fraser > > > Le 17/03/2018 à 15:04, Pierre Labanowski via FreeIPA-users a écrit : > > > > Thank you Rob for your answer, > > > > I have test solution 4, but the installation really goes out of order. > > I do not want to remove from the host or even add a replica (same > > thing with --dirsrv-cert-file and --http-cert-file options). > > I got the following error: > > 'certificate operation cannot be completed: Unable to communicate with > > CMS ([Errno 111] Connection refused)' > > > > > > then go to Solution 5 - Loss of information, backtracking: > > > > I restored a 15-day snapshot, which resulted in the loss of a new user > > and a twenty-something password change. > > - resynchronize with winsync users (change uid and gid on servers) > > - Send a mail to users who have changed their password. (Synchronization) > > > > big panic in the information system. > > > > > > I return to square one with a freeipa v4.4 and a big problem of > > certificate > > '' > > Request ID '20161220171512': > > status: CA_UNREACHABLE > > ca-error: Error 60 connecting to > > https://freeipa4.XXXXXX.XX:8443/ca/agent/ca/profileReview: Peer > > certificate cannot be authenticated with given CA certificates. > > '' > > > > if you have an idea to replace the CA. I am really interrest > > > > thx > > > > Pierre > > > > > > > > > > > > -- > > > > Le 2018-03-13 14:33, Rob Crittenden a écrit : > > > >> Labanowski Pierre via FreeIPA-users wrote: > >>> Hello, I'm confused with my freeipa setup. Some details on the > >>> installation: - I use freeipa on only one server since 2012 (basic > >>> install with a self-signed certificate ... KO from then 2014). - > >>> meanwhile (a few years) I made a migration to switch to a version of > >>> freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. > >>> (the old freeipav3 server has been destroyed for a long time) - at > >>> this time CA autorithy been lost ... but hey I do not use this > >>> feature in freeipa v4, I'm not too worried. - I mainly use the ldap > >>> (user, group, host, hbac, automount etc), and especially kerberos, > >>> and also winsync (trust AD etc ...) - I never interressed at the > >>> party certificate. - The HTTP and LDAP certificates of the server is > >>> signed via an external authority not managed by freeipa. Only here I > >>> wanted to add a 2nd server to replicate my single server freeipa, to > >>> secure the system. And here the disaster begins for me ... because > >>> the certificates block the process in all directions. I'm > >>> considering several solutions: - Solution 1 (my favorite if it's > >>> possible), that I started to try to do ... remove the CA and restart > >>> from scratch on my master server before starting to replicate. I > >>> made a: ipa-ca-install ----> KO CA is already installed on this host > >>> THEN pkidestroy -s CA -i pki-tomcat ipa-getcert stop-tracking -i > >>> ******** (certificate expired for several years) ipa-ca-install > >>> ----> KO '' Run connection check to master Connection check OK Your > >>> system may be partly configured. Run / usr / sbin / > >>> ipa-server-install --uninstall to clean up. Unexpected error - see > >>> /var/log/ipareplica-ca-install.log for details: HTTPError: 404 > >>> Client Error: Not Found '' I tried enorment order I think have put > >>> more basard than anything else that said ... :'( how i can erase all > >>> traces of CA autority and reinstall with ipa-ca-install a new > >>> autority and leave with a correct installation ? > >> No. > >> > >> Chances are excellent that your original CA is now gone permanently > >> given you ran pkidestroy. If you still have the cacert.p12 you at least > >> have the original signing cert but given it was generated 6 years ago > >> and all the subsystem certs are long-expired it would be an extra > >> challenge to try to setup a replacement (for which there is a procedure > >> defined by dogtag but we've never tried it). > >>> - Solution 2 Add a replica server without CA autority and pass it > >>> master and install a new CA autority! it's possible ? > >> No. > >>> - solution 3 make a new freeipa server from 0 - ipa-server-install - > >>> import my ~ 600 users and ~ 50 hosts (service) - import my rules > >>> HBAC - import my sudo rules - import the keys kerberos ... I'm > >>> forgetting some things? and above all, is there a procedure to do > >>> all this? It seems much more difficult, especially since it will > >>> certainly be necessary to plan production stops for my services: > >> IPA to IPA migration is theoretically possible but not something that is > >> supported at the moment (we just never got around to working out all the > >> details). It would involve exporting to ldif the current data, massaging > >> it, and importing it into the new master. There be dragons. > >> > >> solution 4 > >> > >> Obtain an SSL certificate for the HTTP and LDAP service from the same > >> place you got the certificates for your existing master for your new > >> replica and use the --dirsrv-cert-file and --http-cert-file options to > >> ipa-replica-install to pass them in. See the ipa-replica-install(1) man > >> page for fuller details. > >> > >> rob > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
