I will copy/paste it so: Hello
[root@prod-us-freeipa backup]# getcert list | grep expires expires: 2026-08-25 10:47:09 WEST expires: 2026-08-25 10:46:16 WEST expires: 2026-08-25 10:46:05 WEST expires: 2026-08-25 10:46:12 WEST expires: 2044-09-04 10:46:01 WEST expires: 2026-08-25 10:46:09 WEST expires: 2026-09-05 10:47:42 WEST Request ID '20240904094741': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://example.com/> subject: CN=prod-us-freeipa.example.com,O=EXAMPLE.COM <http://example.com/> issued: 2024-09-04 10:47:42 WEST expires: 2026-09-05 10:47:42 WEST dns: prod-us-freeipa.example.com principal name: krbtgt/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes I think the problem is related with some certificate that is included in the backup with "--data". If I do a full restore it brokes de PKI and seems to be impossible to restore. The "--data" flag maybe have some certificate injected different else than dn: uid=pkidbuser,ou=people,o=ipaca. On the dashboard the error is: Your session has expired. Please log in again. on the logs [Wed Sep 04 10:09:13.645078 2024] [wsgi:error] [pid 254:tid 438] [remote 172.21.0.1:48490] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Wed Sep 04 10:09:13.819864 2024] [:warn] [pid 257:tid 325] [client 172.21.0.1:48500] failed to set perms (3140) on file (/run/ipa/ccaches/[email protected])!, referer: https://prod-us-freeipa.example.com/ipa/ui [Wed Sep 04 10:09:14.045869 2024] [wsgi:error] [pid 253:tid 432] [remote 172.21.0.1:48504] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials But i cannot find what is really causing the issue... If I do a full-restore with the following procedure I can login into the web portal, but the PKI goes broken. > 1º install new freeipa 2º restore /var/lib/ipa/private/httpd.key 3º > restore /var/lib/ipa/gssproxy/http.keytab 5º docker exec -ti > ipa-freeipa-1 bash 6º ipa-restore /var/lib/ipa/backup/backup There is some way to do a new "pki" install in an existing installed/restored freeipa? I cannot let the PKI down, it will break the upgrades for future versions. That's why I tried to restore data-only. On Wed, Sep 4, 2024 at 1:35 PM flo--- via FreeIPA-users < [email protected]> wrote: > The content of this message was lost. It was probably cross-posted to > multiple lists and previously handled on another list. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- *Kind Regards* *Duarte Petiz* *DevOps Team Lead *| jscrambler.com
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
