On 4/20/20 8:39 PM, Andreas Bulling via FreeIPA-users wrote:
Andreas Bulling via FreeIPA-users wrote:
You have a chicken and egg problem. When replacing your certs on an
existing infrastructure you first have to add your new CA certs using
ipa-cacert-manage, then run ipa-certupdate on all enrolled machines,
including masters, then you can run ipa-servercert-install to replace them.
This seems to be the routine described on the freeipa page - which I followed
except for running ipa-certupdate on all enrolled machines prior to
ipa-servercert-install. The documentation doesn't mention this, should probably
be fixed before more people end up in this situation.
Hi,
I just updated the page
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
with a note mentioning that ipa-certupdate needs to be run on all the nodes.
Is there any way for me to fix this? client uninstall and reinstall?
You just need to add the new CA to /etc/ipa/ca.crt (append the
-----BEGIN CERTIFICATE---- .... -----END CERTIFICATE----- blob at the
end of the file) and to /etc/ipa/nssdb with
$ certutil -A -d /etc/ipa/nssdb -n nickname -t CT,C,C -a -i
/path/to/cacert.crt
Once it's done you can check if everything is working with
ipa-certupdate or any ipa *-find command.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
