Hi, On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault <[email protected]> wrote:
> Just in case here are the logs after going in the authentification menu in > the GUI > ( I get on Erreur IPA 903: InternalError ) when trying to get certificats > informations > > in the server roles, CA server is now configured > > > Frédéric AYRAULT > Administrateur Systèmes et Réseaux > Laboratoire d'Informatique de l'Ecole polytechnique > <http://www.lix.polytechnique.fr> > [email protected] > > Le 12/10/2023 à 15:33, Frederic Ayrault a écrit : > > I restored the vm, clean all logs and run the ipa-ca-install without the > --ca-subject > then with the --ca-subject="CN=New Certificate Authority,O= > LIX.POLYTECHNIQUE.FR" > > please find enclosed the requested logs > > The CA installation fails because it finds an existing entry in "cn= LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to have a self-signed CA at one point. If you look at this entry, does it correspond to a CA known to you? You can extract the certificate using ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no which should show a value for cacertificate;binary:: <content> Then create a pem file with the format -----BEGIN CERTIFICATE----- <here paste the content> -----END CERTIFICATE----- and execute: openssl x509 -noout -text -in <pemfile> You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O= LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin. flo Thank you very much for your help > > Le 12/10/2023 à 14:19, Florence Blanc-Renaud a écrit : > > Hi, > > On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault < > [email protected]> wrote: > >> >> Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit : >> > Hi, >> > >> > >> > >> > If I recap everything so far: >> > - there is a single server, ipa3.lix.polytechnique.fr >> >> It was part of a cluster but it is removed for the tests >> >> > - it was installed CA-less, with http and ldap certificates issued by an >> > external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate >> CA, >> > signed by the root CA (C=FR, O=CNRS, CN=CNRS2) >> >> exactly >> >> > Your goal is to "replace our external CA to an Internal one", do you >> mean >> > that you want IPA to act as a certificate authority, or use a different >> CA >> > authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ? >> >> As I am not able to use CNRS2-Standard, I need to use a different CA >> authority >> >> Ok, so you went through the right path by using ipa-ca-install. Now we > need to understand why the command failed. > Can you share /var/log/ipareplica-ca-install.log? We may also need > /var/log/pki/pki-ca-spawn.$date and /var/log/dirsrv/slap-LIX-POLYTECHNIQUE > -FR/errors and access. > > flo > > I thought using IPA as a certificate authority was logical (and should >> also be easier) >> but I can be wrong :-( >> >> >> > flo >> > >> >> Frederic >> >> > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
