Bonjour,
Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users
<[email protected]
<mailto:[email protected]>> wrote:
Bonjour,
When I run the command, I get this message
CA is not configured on this system
The ipa-cacert-manage command failed.
"replace our external CA to an Internal one", do you mean that IPA was
installed CA-less (with HTTP and LDAP certificates provided by an
external CA), or with an embedded CA signed by an external CA?
In the first case, you need to install a CA on any of the IPA servers,
using ipa-ca-install. This will create an IPA CA, then you need to
download this new IPA CA certificate on all your IPA machines
(server/replicas/clients) with ipa-certupdate. Please note that this
does not replace the HTTP and LDAP server certificates. Also note that
it is recommended to install the CA services on at least 2 servers
(using ipa-ca-install on the other server). Full doc is available at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#CA-less-to-CA
when I run the command ipa-ca-install, I get
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate with subject CN=Certificate
Authority,O=LIX.POLYTECHNIQUE.FR is present in
/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/, cannot continue.
In the second case, you need to identify where the CA role is already
installed (ipa config-show displays the list of servers with the CA
role), and run the command provided by Rizwan on this node. Full doc
is available at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#change-cert-chaining
ipa config-show does not display any CA server
HTH,
flo
Thank you
Regards,
Thank you
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
[email protected] <mailto:[email protected]>
Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit :
Hello,
What procedure did you follow to renew your CA from external to
self-signed.
Please look at the this
dochttps://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-management-utility
|$ ipa-cacert-manage renew --self-signed|
Above command should renew CA to self-signed
|
|
On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users
<[email protected]
<mailto:[email protected]>> wrote:
Bonjour,
I need to replace our external CA to an Internal one.
We tried several ways without success. One of them was to do
a backup with ipa-backup or db2bak
reinstall the serveur with an internal CA and restore the
datas. But this also restore the external CA.
Is there a way to backup or restore only the users, groups,
roles, ... ?
I am still running ipa 4.6.8 from Centos7
Thank you
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
[email protected] <mailto:[email protected]>
_______________________________________________
FreeIPA-users mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
--
Regards
Mohammad Rizwan
He/Him/His
IM: rizwan
_______________________________________________
FreeIPA-users mailing list -- [email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
