Duarte Petiz via FreeIPA-users wrote:
> I will copy/paste it so:
>
> Hello
>
> [root@prod-us-freeipa backup]# getcert list | grep expires
> expires: 2026-08-25 10:47:09 WEST
> expires: 2026-08-25 10:46:16 WEST
> expires: 2026-08-25 10:46:05 WEST
> expires: 2026-08-25 10:46:12 WEST
> expires: 2044-09-04 10:46:01 WEST
> expires: 2026-08-25 10:46:09 WEST
> expires: 2026-09-05 10:47:42 WEST
>
> Request ID '20240904094741':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://example.com/>
> subject: CN=prod-us-freeipa.example.com
> <http://prod-us-freeipa.example.com/>,O=EXAMPLE.COM <http://example.com/>
> issued: 2024-09-04 10:47:42 WEST
> expires: 2026-09-05 10:47:42 WEST
> dns: prod-us-freeipa.example.com <http://prod-us-freeipa.example.com/>
> principal name: krbtgt/[email protected]
> <mailto:[email protected]>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-pkinit-KPKdc
> profile: KDCs_PKINIT_Certs
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
> track: yes
> auto-renew: yes
>
>
> I think the problem is related with some certificate that is included in
> the backup with "--data".
> If I do a full restore it brokes de PKI and seems to be impossible to
> restore.
> The "--data" flag maybe have some certificate injected different else
> than dn: uid=pkidbuser,ou=people,o=ipaca.
> On the dashboard the error is: Your session has expired. Please log in
> again.
>
> on the logs
> [Wed Sep 04 10:09:13.645078 2024] [wsgi:error] [pid 254:tid 438]
> [remote 172.21.0.1:48490 <http://172.21.0.1:48490/>] ipa: INFO: 401
> Unauthorized: Insufficient access: Invalid credentials
> [Wed Sep 04 10:09:13.819864 2024] [:warn] [pid 257:tid 325]
> [client 172.21.0.1:48500 <http://172.21.0.1:48500/>] failed to set perms
> (3140) on file (/run/ipa/ccaches/[email protected])!,
> referer: https://prod-us-freeipa.example.com/ipa/ui
> [Wed Sep 04 10:09:14.045869 2024] [wsgi:error] [pid 253:tid 432]
> [remote 172.21.0.1:48504 <http://172.21.0.1:48504/>] ipa: INFO: 401
> Unauthorized: Insufficient access: Invalid credentials
>
>
> But i cannot find what is really causing the issue...
>
>
> If I do a full-restore with the following procedure I can login into
> the web portal, but the PKI goes broken.
>
> 1º install new freeipa 2º restore /var/lib/ipa/private/httpd.key 3º
> restore /var/lib/ipa/gssproxy/http.keytab 5º docker exec -ti
> ipa-freeipa-1 bash 6º ipa-restore /var/lib/ipa/backup/backup
>
> There is some way to do a new "pki" install in an existing
> installed/restored freeipa?
> I cannot let the PKI down, it will break the upgrades for future
> versions. That's why I tried to restore data-only.
There is no supported way to replace the CA.
Can you install the {free}ipa-healthcheck package and run
ipa-healthcheck? It is likely to return a slew of errors because the CA
will be unresponsive but it will also check a number of things that
could lead to a root cause.
rob
>
>
> On Wed, Sep 4, 2024 at 1:35 PM flo--- via FreeIPA-users
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> The content of this message was lost. It was probably cross-posted to
> multiple lists and previously handled on another list.
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
>
> --
> /Kind Regards/
>
> *Duarte Petiz*
> *DevOps Team Lead *| jscrambler.com <http://jscrambler.com/>
> *
> *
> *
> *
>
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
