Hi, ipa-server-4.11.0-1.el9.x86_64 is not the latest version, and has a known issue with cert revocation: RHEL-14842 <https://issues.redhat.com/browse/RHEL-14842> / https://pagure.io/freeipa/issue/9345 The fix is available in ipa-server-4.11.0-2.el9.x86_64. flo
On Mon, Dec 11, 2023 at 2:43 PM Albert Stoune via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I just tested again on clean installation with this packages: > > ipa-server-4.11.0-1.el9.x86_64 > ipa-server-dns-4.11.0-1.el9.noarch > idm-pki-ca-11.4.2-1.el9.noarch > > And I think I am ready to write steps to reproduce the error: > > 1. Initiate FreeIPA installation by executing command like this: > > ipa-server-install --setup-dns --no-forwarders --subject-base='OU = Test, > O = TEST.LOCAL, L = SanFrancisco, ST = SanFrancisco C = US' --external-ca > --no-ntp --ca-subject='C = US, ST = SanFrancisco , L = SanFrancisco , O = > TEST.LOCAL, OU = IT DEPT, CN = EXTERNALROOTCA' > > 2. Sign the ipa.csr with this extensions at EXTERNALROOTCA with openssl: > > [ v3_intermediate_ca ] > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer > basicConstraints = critical, CA:true, pathlen:0 > keyUsage = critical, digitalSignature, cRLSign, keyCertSign > > 3. Finish installation, import certs like this: "ipa-server-install > --external-cert-file=<PATH TO SIGNED IPA CERT> --external-cert-file=<PATH > TO CA CERT>" > > 4. Then add a host, create a service, ask for service certificate: > ipa-getcert request -K <SERVICE FULL NAME> -d /etc/pki/nssdb/ -n <SERVICE > FULL NAME> > > The certificate was successfully created and "ipa-getcert list" shows > everything is ok > > Then try to revoke certificate, and you got an error > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue