On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote: > On 08/02/2016 03:17 PM, Ian Harding wrote: >> Hello! >> >> I have been using FreeIPA for a while in our network with 6 replicas and >> it's been working great. I seem to have made a wee mistake though and >> I'd appreciate some help. >> >> I did this: >> >> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> >> on one server because I had a new cert for our internal domain and I >> thought it might be nice to use the same cert for all our internal web >> services. >> >> It worked fine but now when I'm on that server I get >> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I >> can roll this back, or make it work as is? >> >> Thanks! >> >> -Ian >> > Hi Ian, > > if the certificate that you installed was issued by a CA not known by > IPA (let's call him the issuer), then you need to add this issuer cert > first using: > ipa-cacert-manage install <issuer certificate file> -n nickname -t C,, > kinit admin > ipa-certupdate > > You can check that the issuer cert is properly installed in > /etc/httpd/alias and /etc/ipa/nssdb with: > certutil -L -d /etc/httpd/alias > certutil -L -d /etc/ipa/nssdb > where it should appear with C,, flags > > Hope this helps, > Flo. >
I seem to have created a problem here. First some background. freeipa-sea.bpt.rocks suffered ldap database corruption on a messy reboot. I tried to delete it from the freeipa ecosystem but did a poor job, then rebuilt it with the same name and IP address. Replication issues ensued. I chose this inopportune time to install the ssl certificate as described above. I have spent today deleting old replication agreements and reestablishing them which seems to have worked on most of the replicas. However I see this now on most of them [root@bpt-nyc1-nfs ianh]# ipa-csreplica-manage list Directory Manager password: seattlenfs.bpt.rocks: master bpt-nyc1-nfs.bpt.rocks: master freeipa-sea.bpt.rocks: CA not configured bellevuenfs.bpt.rocks: master freeipa-dal.bpt.rocks: master edinburghnfs.bpt.rocks: master fremontnis.bpt.rocks: master Is this related to the original deletion or the subsequent addition of the certificate? I installed the replicas with their own CA. I have added the certificate root to the replicas as mentioned above. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
