Frederic Ayrault via FreeIPA-users wrote: > I think I removed too much certs, with CNRS2 certs in > /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR, > ipa-ca-install works better but I still have an error at the end > >> Done configuring certificate server (pki-tomcatd). >> ipaclient.install.ipa_certupdate: ERROR failed to update >> LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias: Command >> '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n LIX.POLYTECHNIQUE.FR >> IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero >> exit status 255
I'd recommend you try this command manually to see what the whole error is. You'll need to quote the nickname 'LIX....' >> >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Resubmitting certmonger request '20231013171553' timed out, please >> check the request manually > > ipa-certupdate give similar errorr >> trying https://ipa3.lix.polytechnique.fr/ipa/json >> [try 1]: Forwarding 'schema' to json server >> 'https://ipa3.lix.polytechnique.fr/ipa/json' >> did not receive Kerberos credentials >> The ipa-certupdate command failed. >> [root@ipa3 ~]# kinit admin >> Password for [email protected]: >> [root@ipa3 ~]# ipa-certupdate >> trying https://ipa3.lix.polytechnique.fr/ipa/json >> [try 1]: Forwarding 'schema' to json server >> 'https://ipa3.lix.polytechnique.fr/ipa/json' >> trying https://ipa3.lix.polytechnique.fr/ipa/session/json >> [try 1]: Forwarding 'ca_is_enabled/1' to json server >> 'https://ipa3.lix.polytechnique.fr/ipa/session/json' >> [try 1]: Forwarding 'ca_find/1' to json server >> 'https://ipa3.lix.polytechnique.fr/ipa/session/json' >> failed to update LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias: >> Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n >> LIX.POLYTECHNIQUE.FR IPA CA -t CT,C,C -a -f >> /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 Running it manually should give more details why it failed. >> >> Systemwide CA database updated. >> Systemwide CA database updated. >> The ipa-certupdate command was successful >> > > and ipa-server-upgrade seem to work >> Upgrading IPA:. Estimated time: 1 minute 30 seconds >> [1/11]: stopping directory server >> [2/11]: saving configuration >> [3/11]: disabling listeners >> [4/11]: enabling DS global lock >> [5/11]: disabling Schema Compat >> [6/11]: starting directory server >> [7/11]: updating schema >> [8/11]: upgrading server >> [9/11]: stopping directory server >> [10/11]: restoring configuration >> [11/11]: starting directory server >> Done. >> Update complete >> Upgrading IPA services >> Upgrading the configuration of the IPA services >> [Verifying that root certificate is published] >> [Migrate CRL publish directory] >> Publish directory already set to new location >> [Verifying that CA proxy configuration is correct] >> [Verifying that KDC configuration is using ipa-kdb backend] >> [Fix DS schema file syntax] >> Syntax already fixed >> [Removing RA cert from DS NSS database] >> RA cert already removed >> [Enable sidgen and extdom plugins by default] >> [Updating HTTPD service IPA configuration] >> [Updating HTTPD service IPA WSGI configuration] >> Nothing to do for configure_httpd_wsgi_conf >> [Updating mod_nss protocol versions] >> Protocol versions already updated >> [Updating mod_nss cipher suite] >> [Updating mod_nss enabling OCSP] >> [Fixing trust flags in /etc/httpd/alias] >> [Moving HTTPD service keytab to gssproxy] >> [Removing self-signed CA] >> [Removing Dogtag 9 CA] >> [Checking for deprecated KDC configuration files] >> [Checking for deprecated backups of Samba configuration files] >> [Add missing CA DNS records] >> IPA CA DNS records already processed >> [Removing deprecated DNS configuration options] >> DNS is not configured >> [Ensuring minimal number of connections] >> DNS is not configured >> [Updating GSSAPI configuration in DNS] >> DNS is not configured >> [Updating pid-file configuration in DNS] >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> [Upgrading CA schema] >> CA schema update complete (no changes) >> [Verifying that CA audit signing cert has 2 year validity] >> [Update certmonger certificate renewal configuration] >> Configuring certmonger to stop tracking system certificates for CA >> Certmonger certificate renewal configuration updated >> [Enable PKIX certificate path discovery and validation] >> [Authorizing RA Agent to modify profiles] >> [Authorizing RA Agent to manage lightweight CAs] >> [Ensuring Lightweight CAs container exists in Dogtag database] >> [Adding default OCSP URI configuration] >> pki-tomcat configuration changed, restart pki-tomcat >> [Ensuring CA is using LDAPProfileSubsystem] >> [Migrating certificate profiles to LDAP] >> [Ensuring presence of included profiles] >> [Add default CA ACL] >> Default CA ACL already added >> [Set up lightweight CA key retrieval] >> Creating principal >> Retrieving keytab >> Creating Custodia keys >> Configuring key retriever >> [Create systemd-user hbac service and rule] >> hbac service systemd-user already exists >> [Setup PKINIT] >> [Enable certauth] >> The IPA services were upgraded >> The ipa-server-upgrade command was successful > > But ipactl status do not show pki-tomcatd Service Because the CA installation failed it isn't registered as an IPA service. rob > > Thank you > > Frederic > > Frédéric AYRAULT > Administrateur Systèmes et Réseaux > Laboratoire d'Informatique de l'Ecole polytechnique > <http://www.lix.polytechnique.fr> > [email protected] > > Le 13/10/2023 à 17:31, Frederic Ayrault a écrit : >> Bonjour, >> >> Le 13/10/2023 à 10:24, Florence Blanc-Renaud a écrit : >>> Hi, >>> >>> >>> Your current situation: there was a self-signed IPA CA in one of the >>> servers, the replica was created without the CA role then extracted >>> from the original topology. This means there are traces of the CA >>> installation in the new replica but nothing to actually provide the >>> service. >>> >>> So my answer really depends on what you want to achieve. If the new >>> replica will never be connected any more to the previous topology, >>> you could follow Fraser's blog about Removing the CA from a FreeIPA >>> deployment >>> <https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html> >>> on the replica after it has been removed from the original topology, >>> ensure that everything is cleanup and call ipa-ca-install on the new >>> replica. This would ensure there is a new CA private key completely >>> different from the original one. Please note that this blog provides >>> instructions but 1. this is not an officially supported procedure and >>> 2. the instructions intend to remove the CA, not reinstall a new one >>> later on. >> >> With Fraser's blog, I managed to remove some certs. > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
