Ricardo Mendes via FreeIPA-users wrote:
> Hi Florence,
>
> Thank you so much for your reply.
>
> I have some questions regarding your instructions.
>
> 1. ipactl start --ignore-service-failures doesn't work, it leaves most
> services down and I must use systemctl to bring them up.
>
> # sudo ipactl restart --ignore-service-failures
> IPA version error: data needs to be upgraded (expected version
> '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4')
> Automatically running upgrade, for details see /var/log/ipaupgrade.log
> Be patient, this may take a few minutes.
> Automatic upgrade failed: Update complete
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> CA did not start in 300.0s
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
> information
>
> See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade
> again
> Stopping ipa-dnskeysyncd Service
> Stopping ods-enforcerd Service
> Stopping ipa-ods-exporter Service
> Stopping ipa-otpd Service
> Stopping pki-tomcatd Service
> Stopping ntpd Service
> Stopping ipa-custodia Service
> Stopping httpd Service
> Stopping named Service
> Stopping kadmin Service
> Stopping krb5kdc Service
> Stopping Directory Service
> Aborting ipactl
>
> then I have to start manually using the systemctl command I put before.
It's because you are in the middle of an upgrade. You can add
--skip-version-check to not do the upgrade until after the certs are
renewed.
> Also is there a way to use ipactl to start manually a specified service?
No.
>
> 2. what procedure should I use to get a ssl.crt?
>
> # find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt
> #
ssl.crt is just a generic name, IPA doesn't use it. Each certificate
that IPA issues has its own unique name. You'd need to look per-service
where the certificate is stored and what is named. The certmonger output
will help with this:
# getcert list
Note that this will include the certificates used by the IPA CA.
> I think I was using the wrong letsencrypt-freeipa I was using the one here
> https://github.com/antevens/letsencrypt-freeipa but now I see there's another
> here https://github.com/freeipa/freeipa-letsencrypt with more recent updates.
> How do I "replace" them?
These are just two different wrappers around let's encrypt certificates.
As long as it can find the key(s) then it should work either way (one
uses HTTP and one uses DNS). The real trick is what version(s) of IPA
those support and where it is looking for the certificates. The cert
locations and storage are different depending on the version of IPA.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
