On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
Master IPA Server:
- - I install 1 (one) server as master (self-signed) and add/modify
using external CA.
- - I am using ipa-cacert-manage install then ipa-certupdate on master
Hi,
I think I got you wrong...
Do you mean that you installed IPA with an integrated IdM CA which was
self-signed, then your intent was to move to integrated IdM CA
externally signed? In this case, the right command would be
ipa-cacert-manage renew --external-ca, and the procedure is described in
"Changing the certificate chain" [1].
The command ipa-cacert-manage install does not replace the integrated
IdM CA but adds the certificate as a known CA.
Hope this clarifies,
Flo
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html
Replica IPA Server:
- - I install 1 (one) server as client and promoted to ipa-replica:
- I run `ipa-client-install` and autodiscovery
- Then `ipa-replica-install --principal admin --admin-password
<password>`
I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master did.
So, I did the same like master, using `ipa-cacert-manage` on replica,
and it's work fine. If it's normal, then thanks for clarifying this.
On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
Hi,
As your email refers to self-signed and signed CA certificate, can
you please clarify the exact steps that you followed? It looks
like - you first installed FreeIPA with a self-signed CA - you
added an external CA (did you use ipa-cacert-manage install on 1
server then ipa-certupdate on all replicas?) - you replaced the
httpd/LDAP certificates with a cert signed from the external CA
(you probably ran ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on the
replica were not updated as they are different (each IPA server has
his own httpd/LDAP cert which contains the hostname in its
subject). You can check this by performing on each server:
ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert |
grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
^^^^^^^^^
If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run on the
replica with the appropriate certificate.
HTH, Flo.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
Just update, manually add external CA(s) and signed certificated
was successful, but why it's didn't automatically transferred to
replica(s) from master.
On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
Hello!
I've successfully create replica, everything works fine but
why my signed CA certificate didn't automatically transfer to
another replica(s)? Is it normal?
Trying to add manually, but the certificate in replica(s)
still using self-signed. Here's the output from
`ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI
GYh
yR
LivL9gydE=
Interesting line was :
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n
IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa:
DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
ipa: DEBUG: Starting external process ipa: DEBUG:
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA
cert -a ipa: DEBUG: Process finished, return code=255 ipa:
DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not
found
FYI: The replica server previously was a client and promoted
to be a replica by hitting this command:
`ipa-replica-install --principal admin --admin-password
admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO
KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R
wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW
oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73
DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z
3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU
XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr
GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N
8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer
P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk
NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA==
=07Ri
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
