Hash: SHA256


On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
> On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
> Master IPA Server: - I install 1 (one) server as master
> (self-signed) and add/modify using external CA. - I am using
> ipa-cacert-manage install then ipa-certupdate on master
>> Hi,
>> I think I got you wrong... Do you mean that you installed IPA
>> with an integrated IdM CA which was self-signed, then your intent
>> was to move to integrated IdM CA externally signed? In this case,
>> the right command would be ipa-cacert-manage renew --external-ca,
>> and the procedure is described in "Changing the certificate
>> chain" [1].

Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?

>> The command ipa-cacert-manage install does not replace the
>> integrated IdM CA but adds the certificate as a known CA.
>> Hope this clarifies, Flo
>> [1] 
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
> Replica IPA Server: - I install 1 (one) server as client and
> promoted to ipa-replica: - I run `ipa-client-install` and
> autodiscovery - Then `ipa-replica-install --principal admin
> --admin-password <password>`
> I've hit ipa-certupdate -v to verbose the logs (attached at first 
> email). Then replica server aren't using external CA(s) like master
> did.
> So, I did the same like master, using `ipa-cacert-manage` on
> replica, and it's work fine. If it's normal, then thanks for
> clarifying this.
> On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
>>>> Hi,
>>>> As your email refers to self-signed and signed CA
>>>> certificate, can you please clarify the exact steps that you
>>>> followed? It looks like - you first installed FreeIPA with a
>>>> self-signed CA - you added an external CA (did you use
>>>> ipa-cacert-manage install on 1 server then ipa-certupdate on
>>>> all replicas?) - you replaced the httpd/LDAP certificates
>>>> with a cert signed from the external CA (you probably ran
>>>> ipa-server-certinstall on one server).
>>>> In this case it is normal that the httpd/LDAP certificates on
>>>> the replica were not updated as they are different (each IPA
>>>> server has his own httpd/LDAP cert which contains the
>>>> hostname in its subject). You can check this by performing on
>>>> each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
>>>> -n Server-Cert | grep Subject: Subject:
>>>> "CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^
>>>> If the goal is to replace the httpd/LDAP certificates on the 
>>>> replica, the command ipa-server-certinstall must also be run
>>>> on the replica with the appropriate certificate.
>>>> HTH, Flo.
>>>> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
>>>> Just update, manually add external CA(s) and signed
>>>> certificated was successful, but why it's didn't
>>>> automatically transferred to replica(s) from master.
>>>> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
>>>>>>> Hello!
>>>>>>> I've successfully create replica, everything works fine
>>>>>>> but why my signed CA certificate didn't automatically
>>>>>>> transfer to another replica(s)? Is it normal?
>>>>>>> Trying to add manually, but the certificate in
>>>>>>> replica(s) still using self-signed. Here's the output
>>>>>>> from `ipa-certupdate -v` 
>>>>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
> yR
>>>> LivL9gydE=
>>>>>>> Interesting line was :
>>>>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external
>>>>>>> process ipa: DEBUG: args=/usr/bin/certutil -d
>>>>>>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
>>>>>>> finished, return code=255 ipa: DEBUG: stdout= ipa:
>>>>>>> DEBUG: stderr=certutil: Could not find cert: IPA CA :
>>>>>>> PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>> ipa: DEBUG: Starting external process ipa: DEBUG: 
>>>>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
>>>>>>> CA cert -a ipa: DEBUG: Process finished, return
>>>>>>> code=255 ipa: DEBUG: stdout= ipa: DEBUG:
>>>>>>> stderr=certutil: Could not find cert: External CA cert
>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>>>>> FYI: The replica server previously was a client and
>>>>>>> promoted to be a replica by hitting this command: 
>>>>>>> `ipa-replica-install --principal admin
>>>>>>> --admin-password admin_password`
>>>>>>> Any hints?
Version: GnuPG v2


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to