On 11/30/20 13:16, Rob Crittenden via FreeIPA-users wrote: > David Andrzejewski via FreeIPA-users wrote: >> After rooting around in the Dogtag source and documentation to try and >> figure out what it's doing, I noticed that a KRA connector was >> configured on my server "ipa2" (which is what "ipa" is going to replicate): >> >> >> ❯ pki -u admin ca-kraconnector-show >> Enter Password: >> WARNING: UNTRUSTED ISSUER encountered on >> 'CN=ipa2.example.com,O=EXAMPLE.COM' indicates a non-trusted CA cert >> 'CN=Certificate Authority,O=EXAMPLE.COM' >> Trust this certificate (y/N)? y >> >> Host: ipa2.example.com:443 >> Enabled: true >> Local: false >> Timeout: 30 >> URI: /kra/agent/kra/connector >> Transport Cert: >> >> MII..... >> >> >> So, on a hunch, I deleted that connector from ipa2 after saving off the >> information and cert: >> >> >> ❯ pki -u admin ca-kraconnector-del --host ipa2.example.com --port 443 >> Enter Password: >> WARNING: UNTRUSTED ISSUER encountered on >> 'CN=ipa2.example.com,O=EXAMPLE.COM' indicates a non-trusted CA cert >> 'CN=Certificate Authority,O=EXAMPLE.COM' >> Trust this certificate (y/N)? y >> -------------------------------------------- >> Removed KRA host "ipa2.example.com:443" >> -------------------------------------------- >> >> >> I then re-ran ipa-replica-install on "ipa" and it seemed to work fine - >> at least I didn't get any errors. >> >> >> So now ... Because I am nowhere near an expert at Dogtag, did I do the >> wrong thing by removing that kra connector? Will there be any >> unintended side effects? Or was that kra connector some leftover that >> shouldn't have been there? The server ipa2 was not the original IPA >> server, it started as a replica. > > That connector is called a security domain in dogtag parlance. It > registers which services are enabled on a given host. For the CA and KRA > it is basically informational. For the TPS system it is necessary to do > additional cleanup. > > Since IPA shuts down the CA during uninstall this domain is never > updated leaving stale data. Removing it from LDAP like you did is the > workaround. > > We're considering how we want to fix this now. > > rob
I'm battling something similar trying to spin up new EL9 IPA servers with ipa-server-4.11.0-15.el9_4.alma.1.x86_64. ipa-kra-install fails with the same message about an existing connector. It's unclear to me what state the existing IPA servers should be in with regards to ca-kra connectors. I've also filed https://pagure.io/freeipa/issue/9692 Any help would be greatly appreciated. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
