-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello!
Master IPA Server: - - I install 1 (one) server as master (self-signed) and add/modify using external CA. - - I am using ipa-cacert-manage install then ipa-certupdate on master Replica IPA Server: - - I install 1 (one) server as client and promoted to ipa-replica: - I run `ipa-client-install` and autodiscovery - Then `ipa-replica-install --principal admin --admin-password <password>` I've hit ipa-certupdate -v to verbose the logs (attached at first email). Then replica server aren't using external CA(s) like master did. So, I did the same like master, using `ipa-cacert-manage` on replica, and it's work fine. If it's normal, then thanks for clarifying this. On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: > Hi, > > As your email refers to self-signed and signed CA certificate, can > you please clarify the exact steps that you followed? It looks > like - you first installed FreeIPA with a self-signed CA - you > added an external CA (did you use ipa-cacert-manage install on 1 > server then ipa-certupdate on all replicas?) - you replaced the > httpd/LDAP certificates with a cert signed from the external CA > (you probably ran ipa-server-certinstall on one server). > > In this case it is normal that the httpd/LDAP certificates on the > replica were not updated as they are different (each IPA server has > his own httpd/LDAP cert which contains the hostname in its > subject). You can check this by performing on each server: > ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | > grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" > ^^^^^^^^^ > > If the goal is to replace the httpd/LDAP certificates on the > replica, the command ipa-server-certinstall must also be run on the > replica with the appropriate certificate. > > HTH, Flo. > > On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! > > Just update, manually add external CA(s) and signed certificated > was successful, but why it's didn't automatically transferred to > replica(s) from master. > > On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I've successfully create replica, everything works fine but >>>> why my signed CA certificate didn't automatically transfer to >>>> another replica(s)? Is it normal? >>>> >>>> Trying to add manually, but the certificate in replica(s) >>>> still using self-signed. Here's the output from >>>> `ipa-certupdate -v` >>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI GYh > >>>> yR >>>> >>>> > LivL9gydE= >>>> >>>> Interesting line was : >>>> >>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n >>>> IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa: >>>> DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find >>>> cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found >>>> >>>> ipa: DEBUG: Starting external process ipa: DEBUG: >>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA >>>> cert -a ipa: DEBUG: Process finished, return code=255 ipa: >>>> DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find >>>> cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not >>>> found >>>> >>>> FYI: The replica server previously was a client and promoted >>>> to be a replica by hitting this command: >>>> `ipa-replica-install --principal admin --admin-password >>>> admin_password` >>>> >>>> Any hints? >>>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73 DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z 3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N 8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA== =07Ri -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project