Good afternoon, > Firefox stores the trusted CAs and you can manually remove the conflicting > one: Edit > Settings > Privacy & Security > Certificates > View > Certificates... > In the Authorities tab, you can look for your original root CA (for which > the key was lost) / the one that you created with the same subject name, > and remove it.
None of my certificates where in Firefox trusted store so I add the new root CA. I tried to restart Firefox but still got the error. See ipa-certupdate -v output below: > # ipa-certupdate -v > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file > ipa: DEBUG: Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find > session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca' > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying > https://freeipa.qc.lrtech.ca/ipa/json > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection > context.rpcclient_45621904 > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json > server 'https://freeipa.qc.lrtech.ca/ipa/json' > ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca > ipa: DEBUG: Connecting: 192.168.254.203:0 > ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server > ipa: DEBUG: cert valid True for "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" > ipa: DEBUG: handshake complete, peer = 192.168.254.203:443 > ipa: DEBUG: Protocol: TLS1.2 > ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > ipa: DEBUG: received Set-Cookie > 'ipa_session=bd05b8f4e89ed6380efa3d2dbcf7176f; Domain=freeipa.qc.lrtech.ca; > Path=/ipa; Expires=Tue, 15 Mar 2022 16:37:05 GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie 'ipa_session=bd05b8f4e89ed6380efa3d2dbcf7176f; > Domain=freeipa.qc.lrtech.ca; Path=/ipa; Expires=Tue, 15 Mar 2022 16:37:05 > GMT; Secure; HttpOnly' for principal ad...@qc.lrtech.ca > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl padd user ipa_session_cookie:ad...@qc.lrtech.ca @s > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=253871631 > > ipa: DEBUG: stderr= > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection > context.rpcclient_45621904 > ipa: DEBUG: importing all plugin modules in > ipaclient.remote_plugins.schema$ed0ad850... > ipa: DEBUG: importing plugin module > ipaclient.remote_plugins.schema$ed0ad850.plugins > ipa: DEBUG: importing all plugin modules in ipaclient.plugins... > ipa: DEBUG: importing plugin module ipaclient.plugins.automember > ipa: DEBUG: importing plugin module ipaclient.plugins.automount > ipa: DEBUG: importing plugin module ipaclient.plugins.cert > ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile > ipa: DEBUG: importing plugin module ipaclient.plugins.dns > ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule > ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest > ipa: DEBUG: importing plugin module ipaclient.plugins.host > ipa: DEBUG: importing plugin module ipaclient.plugins.idrange > ipa: DEBUG: importing plugin module ipaclient.plugins.internal > ipa: DEBUG: importing plugin module ipaclient.plugins.location > ipa: DEBUG: importing plugin module ipaclient.plugins.migration > ipa: DEBUG: importing plugin module ipaclient.plugins.misc > ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken > ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey > ipa: DEBUG: importing plugin module ipaclient.plugins.passwd > ipa: DEBUG: importing plugin module ipaclient.plugins.permission > ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient > ipa: DEBUG: importing plugin module ipaclient.plugins.server > ipa: DEBUG: importing plugin module ipaclient.plugins.service > ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule > ipa: DEBUG: importing plugin module ipaclient.plugins.topology > ipa: DEBUG: importing plugin module ipaclient.plugins.trust > ipa: DEBUG: importing plugin module ipaclient.plugins.user > ipa: DEBUG: importing plugin module ipaclient.plugins.vault > ipa: DEBUG: Initializing principal host/client.qc.lrtech...@qc.lrtech.ca > using keytab /etc/krb5.keytab > ipa: DEBUG: using ccache /tmp/tmp-sszy3c/ccache > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line > 63, in run > ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1314, in > kinit_keytab > cred = gssapi.Credentials(name=name, store=store, usage='initiate') > File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in > __new__ > store=store) > File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in > acquire > usage) > File "ext_cred_store.pyx", line 182, in > gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) > > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command > failed, exception: GSSError: Major (851968): Unspecified GSS failure. Minor > code may provide more information, Minor (2529639122): Generic > preauthentication failure > ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: Major (851968): Unspecified > GSS failure. Minor code may provide more information, Minor (2529639122): > Generic preauthentication failure > ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command > failed. Also if I do ipa-certupdate on my FreeIPA server old certificates get re-imported and my root certificate lose is trusted attributes CT,C,C to ,,. It happen in all 4 database: /etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias/ /etc/dirsrv/slapd-QC-LRTECH-CA/ Is there a way to save the good state in FreeIPA. Eric _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure