antonelli@cnaf wrote: > Hi Rob, Freeipas > >>>> Is there a way to bypass this? >>> >>> Go back in time as you tried. >>> >>>> I've tried to set a date on the server previous than the expiring > one of >>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin > ticket). >>> >>> I guess make sure that your time daemon, if any, is stopped. > > I managed to install new certs on ipa server setting date back in time; > now on the other two server I still get the error "Insufficient access: > SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor > code may provide more information (Credential cache is empty)" (ntpd > daemon stopped)
Getting it where? I assume you did a kinit after resetting time? > Could it be useful to remove the other two nodes from topology (e.g. > with ipa-replica-manage re-initialize --from good-ipa-server)? This only affects the IPA data, not the certificates used by those servers so it wouldn't help. rob > > thank you > regards > Stefano > > > On 7/28/22 22:21, stefano.antonelli@cnaf via FreeIPA-users wrote: >> Hi Rob >> >> thank you for your answer >> >>> Why are you running this command? Did you change the CA at the same >>> time? If not then ipa-server-certinstall is what you want. >> >> yes, now it's Comodo >> >> I've tried ipa-server-certinstall too but I get "The full certificate >> chain is not present in ../path/my.key, ../path/my.cer The >> ipa-server-certinstall command failed." >> >> Should I try to create a chain certificate/root_ca is there a >> particular order e.g. root/other_ca/cert or cert/root/other_ca? >> >>>> Is there a way to bypass this? >>> >>> Go back in time as you tried. >>> >>>> I've tried to set a date on the server previous than the expiring >>>> one of >>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin >>>> ticket). >>> >>> I guess make sure that your time daemon, if any, is stopped. >> >> perhaps I'll try again stopping ntpd >> >> thank you >> regards >> Stefano >> >> >> Il 2022-07-28 21:28 Rob Crittenden ha scritto: >>> stefano.antonelli@cnaf via FreeIPA-users wrote: >>>> Dear All >>>> >>>> we have a three nodes FreeIPA 4.6.8 installation with third part >>>> certificate (https / dirsrv). This certificate has expired and when I >>>> try to follow the >>>> >>>> ipa-cacert-manage install ... >>>> ipa-certupdate I get the error: "cannot connect to >>>> https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED] >>>> certificate verify failed (_ssl.c:618)" >>> >>> Why are you running this command? Did you change the CA at the same >>> time? If not then ipa-server-certinstall is what you want. >>> >>>> I suppose that this is due to the fact that https connection is blocked >>>> for expired certificate which I can't renew. >>> >>> Yep. >>> >>> >>>> Is there a way to bypass this? >>> >>> Go back in time as you tried. >>> >>>> I've tried to set a date on the server previous than the expiring >>>> one of >>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin >>>> ticket). >>> >>> I guess make sure that your time daemon, if any, is stopped. >>> >>>> I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with new >>>> cert/key but I don't know how >>> >>> Theoretically possible but ipa-server-certinstall should handle it for >>> you. Manual is prone to error. >>> >>> rob >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
