On 04/28/2017 03:50 AM, Dewangga Bachrul Alam wrote:
Yes, this is the way to go, documented here . This is a 2-step
process: when the command is run, it will create a CSR that needs to be
signed by an external CA. Then the command must be re-launched with the
new certificate delivered by the CA.
-----BEGIN PGP SIGNED MESSAGE-----
On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote:
On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
Master IPA Server: - I install 1 (one) server as master
(self-signed) and add/modify using external CA. - I am using
ipa-cacert-manage install then ipa-certupdate on master
I think I got you wrong... Do you mean that you installed IPA
with an integrated IdM CA which was self-signed, then your intent
was to move to integrated IdM CA externally signed? In this case,
the right command would be ipa-cacert-manage renew --external-ca,
and the procedure is described in "Changing the certificate
Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?
Also do not forget to run ipa-certupdate on the master and all the
The command ipa-cacert-manage install does not replace the
integrated IdM CA but adds the certificate as a known CA.
Hope this clarifies, Flo
Replica IPA Server: - I install 1 (one) server as client and
promoted to ipa-replica: - I run `ipa-client-install` and
autodiscovery - Then `ipa-replica-install --principal admin
I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master
So, I did the same like master, using `ipa-cacert-manage` on
replica, and it's work fine. If it's normal, then thanks for
On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote:
As your email refers to self-signed and signed CA
certificate, can you please clarify the exact steps that you
followed? It looks like - you first installed FreeIPA with a
self-signed CA - you added an external CA (did you use
ipa-cacert-manage install on 1 server then ipa-certupdate on
all replicas?) - you replaced the httpd/LDAP certificates
with a cert signed from the external CA (you probably ran
ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on
the replica were not updated as they are different (each IPA
server has his own httpd/LDAP cert which contains the
hostname in its subject). You can check this by performing on
each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
-n Server-Cert | grep Subject: Subject:
If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run
on the replica with the appropriate certificate.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
Just update, manually add external CA(s) and signed
certificated was successful, but why it's didn't
automatically transferred to replica(s) from master.
On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote:
I've successfully create replica, everything works fine
but why my signed CA certificate didn't automatically
transfer to another replica(s)? Is it normal?
Trying to add manually, but the certificate in
replica(s) still using self-signed. Here's the output
from `ipa-certupdate -v`
Interesting line was :
ipa: DEBUG: stderr= ipa: DEBUG: Starting external
process ipa: DEBUG: args=/usr/bin/certutil -d
/etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
finished, return code=255 ipa: DEBUG: stdout= ipa:
DEBUG: stderr=certutil: Could not find cert: IPA CA :
PR_FILE_NOT_FOUND_ERROR: File not found
ipa: DEBUG: Starting external process ipa: DEBUG:
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
CA cert -a ipa: DEBUG: Process finished, return
code=255 ipa: DEBUG: stdout= ipa: DEBUG:
stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
FYI: The replica server previously was a client and
promoted to be a replica by hitting this command:
`ipa-replica-install --principal admin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project