On ti, 04 joulu 2018, Andrey Ptashnik wrote:
Alexander,Please find output below: [root@ipa-server-01 ~]# openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=NIX.MYDOMAIN.COM, CN=ipa-server-01.nix.MYDOMAIN.COM
Yep -- this is self-signed certificate instead of using the right one from IPA CA.
[root@ipa-server-01 krb5kdc]# rm -f kdc.crt [root@ipa-server-01 krb5kdc]# rm -f kdc.key [root@ipa-server-01 krb5kdc]# [root@ipa-server-01 krb5kdc]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@ipa-server-01 krb5kdc]# ls -la total 20 drwxr-xr-x. 2 root root 82 Dec 4 08:16 . drwxr-xr-x. 4 root root 31 Nov 2 11:13 .. -rw-r--r-- 1 root root 1298 Dec 4 08:16 cacert.pem -rw------- 1 root root 22 Oct 30 09:40 kadm5.acl -rwxr-xr-x 1 root root 612 Nov 30 2017 kdc.conf -rw-r--r-- 1 root root 1667 Dec 4 08:16 kdc.crt -rw------- 1 root root 1704 Dec 4 08:16 kdc.key [root@ipa-server-01 krb5kdc]# After certificate update it looks like Web GUI is working.
So, this is another version of https://pagure.io/freeipa/issue/7200 -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
