I think I removed too much certs, with CNRS2 certs in
/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR,
ipa-ca-install works better but I still have an error at the end
Done configuring certificate server (pki-tomcatd).
ipaclient.install.ipa_certupdate: ERROR failed to update
LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias: Command
'/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n LIX.POLYTECHNIQUE.FR
IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero
exit status 255
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Resubmitting certmonger request '20231013171553' timed out, please
check the request manually
ipa-certupdate give similar errorr
trying https://ipa3.lix.polytechnique.fr/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://ipa3.lix.polytechnique.fr/ipa/json'
did not receive Kerberos credentials
The ipa-certupdate command failed.
[root@ipa3 ~]# kinit admin
Password for ad...@lix.polytechnique.fr:
[root@ipa3 ~]# ipa-certupdate
trying https://ipa3.lix.polytechnique.fr/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://ipa3.lix.polytechnique.fr/ipa/json'
trying https://ipa3.lix.polytechnique.fr/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server
'https://ipa3.lix.polytechnique.fr/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server
'https://ipa3.lix.polytechnique.fr/ipa/session/json'
failed to update LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias:
Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n
LIX.POLYTECHNIQUE.FR IPA CA -t CT,C,C -a -f
/etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
and ipa-server-upgrade seem to work
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Updating mod_nss enabling OCSP]
[Fixing trust flags in /etc/httpd/alias]
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
DNS is not configured
[Ensuring minimal number of connections]
DNS is not configured
[Updating GSSAPI configuration in DNS]
DNS is not configured
[Updating pid-file configuration in DNS]
DNS is not configured
DNS is not configured
DNS is not configured
DNS is not configured
DNS is not configured
DNS is not configured
DNS is not configured
DNS is not configured
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Configuring certmonger to stop tracking system certificates for CA
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful
But ipactl status do not show pki-tomcatd Service
Thank you
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
f...@lix.polytechnique.fr
Le 13/10/2023 à 17:31, Frederic Ayrault a écrit :
Bonjour,
Le 13/10/2023 à 10:24, Florence Blanc-Renaud a écrit :
Hi,
Your current situation: there was a self-signed IPA CA in one of the
servers, the replica was created without the CA role then extracted
from the original topology. This means there are traces of the CA
installation in the new replica but nothing to actually provide the
service.
So my answer really depends on what you want to achieve. If the new
replica will never be connected any more to the previous topology,
you could follow Fraser's blog about Removing the CA from a FreeIPA
deployment
<https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html>
on the replica after it has been removed from the original topology,
ensure that everything is cleanup and call ipa-ca-install on the new
replica. This would ensure there is a new CA private key completely
different from the original one. Please note that this blog provides
instructions but 1. this is not an officially supported procedure and
2. the instructions intend to remove the CA, not reinstall a new one
later on.
With Fraser's blog, I managed to remove some certs.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
