Hi, On Fri, Nov 1, 2024 at 4:48 PM Orion Poplawski via FreeIPA-users < [email protected]> wrote:
> On 11/30/20 13:16, Rob Crittenden via FreeIPA-users wrote: > > David Andrzejewski via FreeIPA-users wrote: > >> After rooting around in the Dogtag source and documentation to try and > >> figure out what it's doing, I noticed that a KRA connector was > >> configured on my server "ipa2" (which is what "ipa" is going to > replicate): > >> > >> > >> ❯ pki -u admin ca-kraconnector-show > >> Enter Password: > >> WARNING: UNTRUSTED ISSUER encountered on > >> 'CN=ipa2.example.com,O=EXAMPLE.COM' indicates a non-trusted CA cert > >> 'CN=Certificate Authority,O=EXAMPLE.COM' > >> Trust this certificate (y/N)? y > >> > >> Host: ipa2.example.com:443 > >> Enabled: true > >> Local: false > >> Timeout: 30 > >> URI: /kra/agent/kra/connector > >> Transport Cert: > >> > >> MII..... > >> > >> > >> So, on a hunch, I deleted that connector from ipa2 after saving off the > >> information and cert: > >> > >> > >> ❯ pki -u admin ca-kraconnector-del --host ipa2.example.com --port 443 > >> Enter Password: > >> WARNING: UNTRUSTED ISSUER encountered on > >> 'CN=ipa2.example.com,O=EXAMPLE.COM' indicates a non-trusted CA cert > >> 'CN=Certificate Authority,O=EXAMPLE.COM' > >> Trust this certificate (y/N)? y > >> -------------------------------------------- > >> Removed KRA host "ipa2.example.com:443" > >> -------------------------------------------- > >> > >> > >> I then re-ran ipa-replica-install on "ipa" and it seemed to work fine - > >> at least I didn't get any errors. > >> > >> > >> So now ... Because I am nowhere near an expert at Dogtag, did I do the > >> wrong thing by removing that kra connector? Will there be any > >> unintended side effects? Or was that kra connector some leftover that > >> shouldn't have been there? The server ipa2 was not the original IPA > >> server, it started as a replica. > > > > That connector is called a security domain in dogtag parlance. It > > registers which services are enabled on a given host. For the CA and KRA > > it is basically informational. For the TPS system it is necessary to do > > additional cleanup. > > > > Since IPA shuts down the CA during uninstall this domain is never > > updated leaving stale data. Removing it from LDAP like you did is the > > workaround. > > > > We're considering how we want to fix this now. > > > > rob > > I'm battling something similar trying to spin up new EL9 IPA servers with > ipa-server-4.11.0-15.el9_4.alma.1.x86_64. ipa-kra-install fails with the > same > message about an existing connector. It's unclear to me what state the > existing IPA servers should be in with regards to ca-kra connectors. I've > also filed https://pagure.io/freeipa/issue/9692 > > Any help would be greatly appreciated. > I've added a comment in the above ticket (the issue likely happens because the transportcert was renewed but not updated in CS.cfg). You can follow the steps I wrote in the ticket to update CS.cfg on the master. Then you will have to uninstall the replica completely (unfortunately there is no ipa-kra-install --uninstall command, you need to do ipa server-del <replica> on the master, then ipa-server-install --uninstall on the replica), and re-install it. HTH, flo > > -- > Orion Poplawski > he/him/his - surely the least important thing about me > Manager of IT Systems 720-772-5637 > NWRA, Boulder Office FAX: 303-415-9702 > 3380 Mitchell Lane [email protected] > Boulder, CO 80301 https://www.nwra.com/ > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
