On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,
Please find output below:
[root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Yep -- this is self-signed certificate instead of using the right one
from IPA CA.
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt
[root@ipa-server-01 krb5kdc]# rm -f kdc.key
[root@ipa-server-01 krb5kdc]#
[root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-server-01 krb5kdc]# ls -la
total 20
drwxr-xr-x. 2 root root 82 Dec 4 08:16 .
drwxr-xr-x. 4 root root 31 Nov 2 11:13 ..
-rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem
-rw------- 1 root root 22 Oct 30 09:40 kadm5.acl
-rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf
-rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt
-rw------- 1 root root 1704 Dec 4 08:16 kdc.key
[root@ipa-server-01 krb5kdc]#
After certificate update it looks like Web GUI is working.
So, this is another version of https://pagure.io/freeipa/issue/7200
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org