On 04/28/2017 03:50 AM, Dewangga Bachrul Alam wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!

Master IPA Server: - I install 1 (one) server as master
(self-signed) and add/modify using external CA. - I am using
ipa-cacert-manage install then ipa-certupdate on master

Hi,

I think I got you wrong... Do you mean that you installed IPA
with an integrated IdM CA which was self-signed, then your intent
was to move to integrated IdM CA externally signed? In this case,
the right command would be ipa-cacert-manage renew --external-ca,
and the procedure is described in "Changing the certificate
chain" [1].

Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?

Yes, this is the way to go, documented here [1]. This is a 2-step process: when the command is run, it will create a CSR that needs to be signed by an external CA. Then the command must be re-launched with the new certificate delivered by the CA.

Also do not forget to run ipa-certupdate on the master and all the replicas/clients.

Flo.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext


The command ipa-cacert-manage install does not replace the
integrated IdM CA but adds the certificate as a known CA.

Hope this clarifies, Flo

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
rt-chaining.html



Replica IPA Server: - I install 1 (one) server as client and
promoted to ipa-replica: - I run `ipa-client-install` and
autodiscovery - Then `ipa-replica-install --principal admin
--admin-password <password>`

I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master
did.

So, I did the same like master, using `ipa-cacert-manage` on
replica, and it's work fine. If it's normal, then thanks for
clarifying this.

On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
Hi,

As your email refers to self-signed and signed CA
certificate, can you please clarify the exact steps that you
followed? It looks like - you first installed FreeIPA with a
self-signed CA - you added an external CA (did you use
ipa-cacert-manage install on 1 server then ipa-certupdate on
all replicas?) - you replaced the httpd/LDAP certificates
with a cert signed from the external CA (you probably ran
ipa-server-certinstall on one server).

In this case it is normal that the httpd/LDAP certificates on
the replica were not updated as they are different (each IPA
server has his own httpd/LDAP cert which contains the
hostname in its subject). You can check this by performing on
each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
-n Server-Cert | grep Subject: Subject:
"CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^

If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run
on the replica with the appropriate certificate.

HTH, Flo.

On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!

Just update, manually add external CA(s) and signed
certificated was successful, but why it's didn't
automatically transferred to replica(s) from master.

On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
Hello!

I've successfully create replica, everything works fine
but why my signed CA certificate didn't automatically
transfer to another replica(s)? Is it normal?

Trying to add manually, but the certificate in
replica(s) still using self-signed. Here's the output
from `ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
NdI


GYh


yR


LivL9gydE=

Interesting line was :

ipa: DEBUG: stderr= ipa: DEBUG: Starting external
process ipa: DEBUG: args=/usr/bin/certutil -d
/etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
finished, return code=255 ipa: DEBUG: stdout= ipa:
DEBUG: stderr=certutil: Could not find cert: IPA CA :
PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process ipa: DEBUG:
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
CA cert -a ipa: DEBUG: Process finished, return
code=255 ipa: DEBUG: stdout= ipa: DEBUG:
stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found

FYI: The replica server previously was a client and
promoted to be a replica by hitting this command:
`ipa-replica-install --principal admin
--admin-password admin_password`

Any hints?





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v
oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8
udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg
zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F
g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu
kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt
xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+
PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS
MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw==
=plyF
-----END PGP SIGNATURE-----


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to