Eric Boisvert via FreeIPA-users wrote:
> I did a kinit with my admin user and enter the password.
> 
> Now ipa-certupdate -v return:
> 
> # ipa-certupdate -v
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
> ipa: DEBUG: Loading Index file from 
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca
> ipa: DEBUG: Process finished, return code=1
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_search: Required key not available
> 
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find 
> session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca'
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying 
> https://freeipa.qc.lrtech.ca/ipa/json
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection 
> context.rpcclient_26500816
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json 
> server 'https://freeipa.qc.lrtech.ca/ipa/json'
> ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca
> ipa: DEBUG: Connecting: IP_ADDRESS:0
> ipa: ERROR: cert validation failed for 
> "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" ((SEC_ERROR_EXPIRED_CERTIFICATE) 
> Peer's Certificate has expired.)
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection 
> context.rpcclient_26500816
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG:   File 
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
> execute
>     return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line 
> 54, in run
>     api.finalize()
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in 
> finalize
>     self.__do_if_not_done('load_plugins')
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in 
> __do_if_not_done
>     getattr(self, name)()
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in 
> load_plugins
>     for package in self.packages:
>   File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in 
> packages
>     ipaclient.remote_plugins.get_package(self),
>   File 
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 
> 118, in get_package
>     plugins = schema.get_package(server_info, client)
>   File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
> line 543, in get_package
>     schema = Schema(client)
>   File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
> line 387, in __init__
>     fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
>   File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
> line 426, in _fetch
>     schema = client.forward(u'schema', **kwargs)['result']
>   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward
>     raise NetworkError(uri=server, error=str(e))
> 
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command 
> failed, exception: NetworkError: cannot connect to 
> 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) 
> Peer's Certificate has expired.
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: cannot connect to 
> 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) 
> Peer's Certificate has expired.
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command 
> failed.
> 
> Sorry for asking trivial quesions I'm new to FreeIPA.

Now you have a classic chicken and egg problem. The clients were all
configured with the old CA and now you have a brand new one.

I'd give this a try:

Copy /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client
Run update-ca-trust

Then try a command like ipa user-show admin, or ipa-certupdate.

If that works on one client (and I think it will), repeat it on the
others and you're back in business.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to