On 2/5/20 1:35 PM, Jochen Demmer via FreeIPA-users wrote:
Yeah I actually modified the PEM outputs because I wasn't sure if it was
sensible.
The second attribute userCertificate has the serial 21.
What about the ra-agent.key? When I put the certificate from the LDAP to
the file named ra-agent.pem, does the .key file need to be updated, too?
If the cert was renewed, the key didn't change. You can actually check
that a given key matches a cert with
# openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key | openssl md5
# openssl x509 -noout -modulus -in /var/lib/ipa/ra-agent.pem | openssl md5
Both outputs should be identical.
HTH,
flo
Thank you so much. I'm looking forward to a working upgrade, soon ;-)
Jochen
Am Dienstag, 4. Februar 2020 17:47:05 CET schrieb Florence Blanc-Renaud:
On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote:
Hi,
unfortunately currently there's is no other node, which is why I'm
trying to update to Fedora 31. I used to replicate between two
machines but on got lost.
I installed a new machine which is supposed to work as my new replica
but this is being virtualized in bhyve / FreeNAS and this doesn't
allow Fedora 30 to be installed so I'm stuck with Fedora 31.
In the docs it's said that versions between replicas need to be
consistent so I'm trying to update the only running FreeIPA node
(srv107) to Fedora 31 first.
Ok, so in this case we need to work on this single node...
Jochen
On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via
FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: ...
We can see that there is an inconsistency between the
/var/lib/ipa/ra-agent.pem file and the LDAP content. You need to
choose which one to pick as the source of truth and update the other one.
If the cert in /var/lib/ipa/ra-agent.pem is still valid, you can use
this one. To check the validity:
$ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Look for the lines:
Validity
Not Before: <date>
Not After : <date>
If the cert is valid, use this one as source of truth and update the
ldap entry with ldapmodify (the description attribute and the
usercertificate attribute).
If the cert is not valid, you need to find which one in the ldap entry
corresponds to the serial 21. I did not manage to read the content of
the usercertificate attribute, did you cut the ldapsearch output?
I tried with
$ openssl x509 -noout -text
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
but the 2 certs in the usercertificate attribute failed with "unable
to load certificate".
flo
...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines ...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org