Eric Boisvert via FreeIPA-users wrote: > I did a kinit with my admin user and enter the password. > > Now ipa-certupdate -v return: > > # ipa-certupdate -v > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file > ipa: DEBUG: Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find > session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca' > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying > https://freeipa.qc.lrtech.ca/ipa/json > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection > context.rpcclient_26500816 > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json > server 'https://freeipa.qc.lrtech.ca/ipa/json' > ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca > ipa: DEBUG: Connecting: IP_ADDRESS:0 > ipa: ERROR: cert validation failed for > "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" ((SEC_ERROR_EXPIRED_CERTIFICATE) > Peer's Certificate has expired.) > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection > context.rpcclient_26500816 > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line > 54, in run > api.finalize() > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in > finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in > __do_if_not_done > getattr(self, name)() > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in > load_plugins > for package in self.packages: > File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in > packages > ipaclient.remote_plugins.get_package(self), > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line > 118, in get_package > plugins = schema.get_package(server_info, client) > File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 543, in get_package > schema = Schema(client) > File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 387, in __init__ > fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) > File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 426, in _fetch > schema = client.forward(u'schema', **kwargs)['result'] > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward > raise NetworkError(uri=server, error=str(e)) > > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command > failed, exception: NetworkError: cannot connect to > 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) > Peer's Certificate has expired. > ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: cannot connect to > 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) > Peer's Certificate has expired. > ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command > failed. > > Sorry for asking trivial quesions I'm new to FreeIPA.
Now you have a classic chicken and egg problem. The clients were all configured with the old CA and now you have a brand new one. I'd give this a try: Copy /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client Run update-ca-trust Then try a command like ipa user-show admin, or ipa-certupdate. If that works on one client (and I think it will), repeat it on the others and you're back in business. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
