[Freeipa-users] Re: External CA renewal and self-signed surprise

Sat, 18 Jan 2020 19:44:14 -0800 

On Thu, 16 Jan 2020, Florence Blanc-Renaud wrote:


On 1/13/20 10:58 AM, Rob Foehl via FreeIPA-users wrote:

 On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:


 The question remains: how do I get rid of the self-signed CA entirely?



Hi Rob,
there is currently no easy way to do this, except using a lot of manual commands. For info, we already have a ticket to enhance ipa-cacert-manage with a subcommand allowing to remove a cert: 
https://pagure.io/freeipa/issue/8124


Okay, so...  What's the process?  What are the commands?
Is it going to be less pain than ripping out the entire IPA environment and starting over, only to run into this same mess in another two years?
I agree that there ought to be an easy way (e.g. ipa-cacert-manage delete) to do this, but at the moment, I need *any* way to do this -- been fighting with a crippled system for three weeks now. 



 Best hint toward this I've managed to find thus far is in the comments on
 https://pagure.io/freeipa/issue/7283 , with got me as far as the
 cACertificate and ipaCertIssuerSerial entries corresponding to the
 extraneous self-signed cert...  If I remove those and the cert from the
 NSSDBs, then what?  Reissue all dependent certs in the IPA CA chain?

 What do I do about the rest of the mess it's created, and/or preventing
 future problems?  Bug ticket for the erroneous self-signed renewal?
If the issue is reproducible, then yes, we do need to fix the problem. Please open an issue at https://pagure.io/freeipa/new_issue
It is, as confirmed by installing a new F31 test VM and going through the external CA ipa-server-install. https://pagure.io/freeipa/issue/8176
(In the process, I also discovered that the install fails with CA_UNREACHABLE errors unless the system's hostname is actually resolvable in the DNS -- despite ipa-server-install still insisting on mangling /etc/hosts unnecessarily, as reported in https://pagure.io/freeipa/issue/6984 years ago. Come on.) 

-Rob


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to