-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello!
On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote: > On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello! > > Master IPA Server: - I install 1 (one) server as master > (self-signed) and add/modify using external CA. - I am using > ipa-cacert-manage install then ipa-certupdate on master > >> Hi, > >> I think I got you wrong... Do you mean that you installed IPA >> with an integrated IdM CA which was self-signed, then your intent >> was to move to integrated IdM CA externally signed? In this case, >> the right command would be ipa-cacert-manage renew --external-ca, >> and the procedure is described in "Changing the certificate >> chain" [1]. Ah thanks for your corrections and information, then what should I do? Should I run ipa-cacert-manage renew --external-ca ? > >> The command ipa-cacert-manage install does not replace the >> integrated IdM CA but adds the certificate as a known CA. > >> Hope this clarifies, Flo > >> [1] >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce rt-chaining.html > >> > > Replica IPA Server: - I install 1 (one) server as client and > promoted to ipa-replica: - I run `ipa-client-install` and > autodiscovery - Then `ipa-replica-install --principal admin > --admin-password <password>` > > I've hit ipa-certupdate -v to verbose the logs (attached at first > email). Then replica server aren't using external CA(s) like master > did. > > So, I did the same like master, using `ipa-cacert-manage` on > replica, and it's work fine. If it's normal, then thanks for > clarifying this. > > On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: >>>> Hi, >>>> >>>> As your email refers to self-signed and signed CA >>>> certificate, can you please clarify the exact steps that you >>>> followed? It looks like - you first installed FreeIPA with a >>>> self-signed CA - you added an external CA (did you use >>>> ipa-cacert-manage install on 1 server then ipa-certupdate on >>>> all replicas?) - you replaced the httpd/LDAP certificates >>>> with a cert signed from the external CA (you probably ran >>>> ipa-server-certinstall on one server). >>>> >>>> In this case it is normal that the httpd/LDAP certificates on >>>> the replica were not updated as they are different (each IPA >>>> server has his own httpd/LDAP cert which contains the >>>> hostname in its subject). You can check this by performing on >>>> each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L >>>> -n Server-Cert | grep Subject: Subject: >>>> "CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^ >>>> >>>> If the goal is to replace the httpd/LDAP certificates on the >>>> replica, the command ipa-server-certinstall must also be run >>>> on the replica with the appropriate certificate. >>>> >>>> HTH, Flo. >>>> >>>> On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! >>>> >>>> Just update, manually add external CA(s) and signed >>>> certificated was successful, but why it's didn't >>>> automatically transferred to replica(s) from master. >>>> >>>> On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: >>>>>>> Hello! >>>>>>> >>>>>>> I've successfully create replica, everything works fine >>>>>>> but why my signed CA certificate didn't automatically >>>>>>> transfer to another replica(s)? Is it normal? >>>>>>> >>>>>>> Trying to add manually, but the certificate in >>>>>>> replica(s) still using self-signed. Here's the output >>>>>>> from `ipa-certupdate -v` >>>>>>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U NdI > >>>>>>> GYh >>>> >>>>>>> > yR >>>>>>> >>>>>>> >>>> LivL9gydE= >>>>>>> >>>>>>> Interesting line was : >>>>>>> >>>>>>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external >>>>>>> process ipa: DEBUG: args=/usr/bin/certutil -d >>>>>>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process >>>>>>> finished, return code=255 ipa: DEBUG: stdout= ipa: >>>>>>> DEBUG: stderr=certutil: Could not find cert: IPA CA : >>>>>>> PR_FILE_NOT_FOUND_ERROR: File not found >>>>>>> >>>>>>> ipa: DEBUG: Starting external process ipa: DEBUG: >>>>>>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External >>>>>>> CA cert -a ipa: DEBUG: Process finished, return >>>>>>> code=255 ipa: DEBUG: stdout= ipa: DEBUG: >>>>>>> stderr=certutil: Could not find cert: External CA cert >>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found >>>>>>> >>>>>>> FYI: The replica server previously was a client and >>>>>>> promoted to be a replica by hitting this command: >>>>>>> `ipa-replica-install --principal admin >>>>>>> --admin-password admin_password` >>>>>>> >>>>>>> Any hints? >>>>>>> >>>>> >>>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO 1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8 udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+ PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw== =plyF -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
