Hi, On Thu, Sep 21, 2023 at 5:04 PM Cristian Le via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> I have tried my luck around with all the helpers: `pki-server cert-fix`, > `ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me > for multiple reasons. > - `ipa-cacert-manage` Cannot update the CA with `--external-cert-file` > because the root ca is not detected to be in the trust list > This command is useful if you need to trust a new external CA or renew IPA CA. Is your IPA CA expired? - `ipa-cert-fix` Was run without overlapping validity time, and the > certificate were re-created, so now it is not recoverable, neither back in > time, nor in current time > It is recommended to do a backup before running ipa-cert-fix. If you didn't, and want to try the back-in-time method, you can still find the original certificates in the LDAP database (below ou=certificateRepository,ou=ca,o=ipaca) but it requires a bit of searching. You would need to restore the expired certificates, go back in time and force the renewal. - `pki-tomcat` is failing > > What is the current situation? Which certs are expired (getcert list)? If you start the services with "ipactl start --ignore-service-failures", is pki-tomcat the only service failing? flo It is quite a mess and I would like to ask for some guidance on how one > could recover manually from such dependency issues: > - Is it possible to do a `ipa-server-install` and keep the user data? > - If I sign all of the service's certificates manually, what are all of the > manual steps needed to get the services back up so that the helpers can be > run. > - I've tried to install the CA certificate in the nssdb database, ldap, > and /etc/ipa/ca.crt. Are there other locations? > - I've recreated an httpd certificate signed by the root, but I can't > figure how to do the same with the ones located in the nssdb database, i.e. > to recreate a csr with the same data as one of the certificates there > - What is the order of services that should be updated. My understanding > is CA -> `certutil`'s CA -> httpd + slapd + pki-tomcat (not sure where the > last one is or how to edit it) -> `ipa-certupdate` > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue