Hi,

As your email refers to self-signed and signed CA certificate, can you please clarify the exact steps that you followed? It looks like
- you first installed FreeIPA with a self-signed CA
- you added an external CA (did you use ipa-cacert-manage install on 1 server then ipa-certupdate on all replicas?) - you replaced the httpd/LDAP certificates with a cert signed from the external CA (you probably ran ipa-server-certinstall on one server).

In this case it is normal that the httpd/LDAP certificates on the replica were not updated as they are different (each IPA server has his own httpd/LDAP cert which contains the hostname in its subject). You can check this by performing on each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep Subject:
        Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
                     ^^^^^^^^^

If the goal is to replace the httpd/LDAP certificates on the replica, the command ipa-server-certinstall must also be run on the replica with the appropriate certificate.

HTH,
Flo.

On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Just update, manually add external CA(s) and signed certificated was
successful, but why it's didn't automatically transferred to
replica(s) from master.

On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
Hello!

I've successfully create replica, everything works fine but why my
signed CA certificate didn't automatically transfer to another
replica(s)? Is it normal?

Trying to add manually, but the certificate in replica(s) still
using self-signed. Here's the output from `ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdIGYh
yR


LivL9gydE=

Interesting line was :

ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa:
DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a
ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA :
PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process ipa: DEBUG:
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a
ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found

FYI: The replica server previously was a client and promoted to be
a replica by hitting this command: `ipa-replica-install
--principal admin --admin-password admin_password`

Any hints?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY+xccGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcJAHEACO4nF7guN05MjmqYFDwDrjhvWgMN2sRn+Nxt/aA+xziIOJJGaA
Rr97TbODiTiefBkjVoiYM6dxr6VK5ViPZIbe0IAjafCRACAKggyCRtb2j8+vb7Jd
imJN/MC0zSMCdATSs2b95uT7QrUiVHwt/xmKzJ44ezIYON+YOtgndk0QXynXHqjm
H6HcQkh4ZcC8antiFdbC+H8z4Iv4Ypnhdr80RtqLqQ6esnZXnWdIg3X0aRb6w1fw
KEDHemhfKeu5hMxpi2AQdesO4j+XhvW6TfvKymScbWv1PoEuLAsgQGdoxVmhkjN8
LKixSghHlg8A61DXtA9J2uaPUUKjVMmoKH4CFD0RLQlQJ+f4KfApbNzHZTBnSL8D
64c5WjJdtAY5LUArakwZ/EJt5N5AJEFDIoSWM3if/jpDIVFEAaDzFKIQvyLKyMIn
yHxNIcWcSoP/YwzZXMttWx5dNRkermmWEcvPsqovoT9BRlI/e700o3xqQk7V0720
7TniU1uZaBpLkJOxHUoWssaWfVHcWEBnw0UeU7bl4nKnAo7hkQs3/iJXwQiLk4aw
338ZIniIrDSmUmmfqJuhQrFPNK+heCOno5O/99Sa1bs0lTQgRRjMq5Q7mIajEYYI
NedyVj0VQ8R42rbgomWJPJP/uU+kirN8CpEc+d/IWNQE2t+5hOX5nme5dw==
=anzk
-----END PGP SIGNATURE-----


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to