On 16/07/2025 23:36, Ty zang via FreeIPA-users wrote:
Hey all,
I am troubleshooting an authentication issue with my clients that happened after a mass
PKI cert expiration on my third party CA (root, issuer, and a ton of others). When I
authenticate on a client to IPA, it sends my request to the RADIUS server (RSA Auth Mgr)
and prompts for first token and second token. Once I enter those, it lets me in (SSH).
But for xRDP, it keeps failing and the only log I have on RSA is "bad tokencode but
good PIN". I do see an error code 7 in one of the logs (was it secure log?).
So that is how I got to where I am. I looked at /etc/krb5.conf and it points to
two files:
/var/lib/ipa-client/pki/ca-bundle
/var/lib/ipa-client/pki/kdc-ca-bundle
When I look at the certs in these files, I do see the expired root and issuer (and a
valid IPA certificate authority cert). What is the proper way to update these two third
party certs in these files on the ipa clients? Should I use keytool/openssl to rip the
old ones out and import the new PEM files? I believe I already dropped these two certs
under /etc/pki/ca-trust/source/anchors/ and ran "update-ca-trust" but these
files seem remain invalid.
Just looking for the proper way, so appreciate the help!
Have you tried ipa-certupdate?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
