Hi all, Currently I'm setting up a FreeIPA instance on EL8 with the crypto-policy set to FUTURE.
When running the ipa-server-install program, it errors out when setting up the PKI infrastructure. Below is the command I ran: ``` ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg --setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U ``` As this command already shows, I already have some PKI override settings to ensure all created keys are 4096 bits long: ``` [CA] pki_ca_signing_key_size=4096 [DEFAULT] pki_admin_key_size=4096 pki_audit_signing_key_size=4096 pki_sslserver_key_size=4096 pki_subsystem_key_size=4096 ``` And even despite these settings, the command errors out giving me the message as below: ``` ..truncated.. [22/28]: enabling CA instance [23/28]: migrating certificate profiles to LDAP [24/28]: importing IPA certificate profiles [error] NetworkError: cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` So _some_ certificate _somewhere_ is not strong enough, but I can't find which one it is and how to ensure it's strengthened sufficiently. When I check the log file it shows basically the same message (except with a lot of Python stacktraces with 'NetworkError') When I revert the crypto-policy back to DEFAULT the command as shown above will succeed. Anyone have a clue? :) Cheers! -- Kind regards, Jeff
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
