Kees Bakker via FreeIPA-users wrote:
> Hi Flo,
>
> Do you have a hint how I can get to the point where I can execute
> the pki securitydomain-host-del command? All examples [2] on the Internet
> are from the time when there was a /root/ca-agent.p12 and ipaCert.
> I think that has been migrated to /var/lib/ipa/ra-agent.{key,pem} [1].
>
> Maybe you are going to say that I shouldn't need that pki command. But I
> have two deleted masters in the pki database. Using
> pki securitydomain-host-del seems the only way to get rid of them. If you
> have a better suggestion then please let me know.
>
> [1] https://www.freeipa.org/page/Releases/4.8.1
> [2] https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup
The CA agent is something different and not used by IPA at all. If your
installation is > 2 years old it is expired anyway.
The dogtag documentation is woefully out-of-date in this regard
unfortunately (and yes, I realize I also live in a glass house regarding
wikis).
You don't need to import anything, the entries you need are already
there. Try:
# pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C
/etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA
ipa.example.test 443'
rob
> -- Kees
>
> On 12-07-2021 15:01, Kees Bakker via FreeIPA-users wrote:
>> It is now time for me to try and follow the suggested pki commands.
>> However, I don't have a /root/ca-agent.p12
>>
>> There is quite a bit of documentation on the Internet, but it might
>> not all be
>> up-to-date.
>>
>> Here [1] the file /root/ca-agent.p12 is mentioned under "PKI Admin
>> Certificate".
>>
>> "PKI admin certificate is stored in several locations:
>>
>> /root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).
>> /root/.dogtag/pki-tomcat/ca_admin.cert
>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to
>> /root/ca-agent.p12)
>> "
>>
>> I don't have any of them. Then [1] continues with
>>
>> "PKI Agent Certificate
>>
>> PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:
>>
>> ipaCert (CN=IPA RA)
>>
>> For IPA Password Vault the certificate is exported and cached into
>> /etc/httpd/alias/kra-agent.pem since python-requests does not support
>> NSS. The cache is invalidated if the KRA authentication fails.
>> IPA Certificates
>>
>> IPA certificates are stored in /etc/httpd/alias:
>>
>> <REALM> IPA CA (CN=Certificate Authority)
>> <External CA DN>
>> ipa-ca-agent (CN=ipa-ca-agent)
>> ipaCert (CN=IPA RA)
>> Signing-Cert (CN=Object Signing Cert)
>> "
>>
>> But all I have in /etc/httpd/alias is a file ipasession.key
>>
>> I'm confused.
>>
>> [1] https://www.dogtagpki.org/wiki/IPA_Certificates
>> -- Kees
>>
>> On 14-06-2021 16:39, github--- via FreeIPA-users wrote:
>>> On 29-05-2021 10:21, Alexander Bokovoy wrote:
>>>> But I did use "ipa-csreplica-manage del" as well. However, I
>>>> remember that it
>>>> complained it couldn't remove that host. I was assuming it was
>>>> already gone.
>>>> When I list with ipa-csreplica-manage then I don't see the old hosts
>>>> anymore.
>>> Its worth noting my install (4.9.3) on Fedora `ipa-csreplica-manage
>>> del` just prints a deprecated message and doesn't seem to do anything.
>>>
>>>> So, two things
>>>> 1) "ipa-csreplica-manage del" somehow failed (it's probably too late
>>>> to look
>>>> at logs)
>>>> 2) how can I still remove the old hosts?
>>> I have/had the same problem. I used
>>> https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me auth
>>> into the CA to remove the dead host.
>>>
>>> pki client-cert-import --pkcs12 /root/ca-agent.p12
>>> --pkcs12-password [redact]
>>> pki -n ipa-ca-agent securitydomain-host-find
>>> # you need the full Host ID section to remove
>>> pki -n ipa-ca-agent securitydomain-host-del "CA
>>> freeipa2[redact].net 443"
>>>
>>> Keep in mind I'm fairly new to IPA, so maybe you don't want to do
>>> this on a production system without someone else more experienced
>>> chiming in. But, so far, the health check stopped complaining,
>>> replication is fine, and all my users can still log in.
>>> _______________________________________________
>>> FreeIPA-users mailing list -- [email protected]
>>> To unsubscribe send an email to
>>> [email protected]
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/[email protected]
>>>
>>> Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to
>> [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>>
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
