Bonjour,
Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
So far it doesn't look like there was an IPA embedded CA signed by the
external intermediate CA. Can you check the HTTP and LDAP server
certificates with certutil? I would like to check who issued them.
Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias.
Find its nickname with
# certutil -L -d /etc/httpd/alias/ | grep "u,u,u"
*Server-Cert* u,u,u
IPA3 u,u,u
Then get the subject and issue from the certificate:
# certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep
"Issuer:|Subject:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR"
Subject:
"E=sys...@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr,
Issuer:
For the LDAP server, same steps but at a different location:
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u"
*Server-Cert* u,u,u
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n
*Server-Cert* | egrep "Subject:|Issuer:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR"
Subject:
"E=sys...@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr,
Issuer:
If the issuer is an external CA, it's likely that your IPA deployment
was installed CA-less.
Sorry I did misunderstood external CA.
Now if I am right, I am using an external CA to get certs but this CA is
not installed on the server
How can I install an internal CA in a CA-less server ?
The output of ipa config-show would also show if there was a server
installed with a CA.
Sorry it is in french
Longueur maximale du nom d'utilisateur: 32
Base du répertoire utilisateur: /users
Interpréteur de commande par défaut: /bin/bash
Groupe utilisateur par défaut: ipausers
Domaine par défaut pour les courriels: lix.polytechnique.fr
Limite de temps d'une recherche: 2
Limite de taille d'une recherche: 1000
Champs de recherche utilisateur:
uid,givenname,sn,telephonenumber,ou,title
Champs de recherche de groupe: cn,description
Activer le mode migration: TRUE
Base de sujet de certificat: O=LIX.POLYTECHNIQUE.FR
Notification d'expiration de mot de passe (jours): 4
Fonctionnalités du greffon mots de passe: AllowNThash
Ordre de la mappe des utilisateurs SELinux:
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
Types de PAC par défaut: MS-PAC, nfs:NONE
Maîtres IPA: ipa3.lix.polytechnique.fr
Serveurs NTP IPA: ipa3.lix.polytechnique.fr
Maître de renouvellement d'AC IPA: ipa3.lix.polytechnique.fr
flo
Thank you
Regards,
Frederic
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue