Hi all,
Came around to post the definite fix for my problem, don't know if it will help
anyone since it was all a mess.
As mentioned previously:
> There's the expected "slapd-DOMAIN-IO" but I also have a
> "try_ca_renew-slapd-DOMAIN-IO" dir dated from 8 of June that resembles a
> copy of
Hi Rob,
About id13, is a dead and gone replica.
About this link:
https://www.freeipa.org/page/Howto/DNSSEC#Migrate_DNSSEC_master_to_another_IPA_server
I had found it and it was the guide I used to migrate the DNSSEC Key
Master. The issue is that it completed on the DNSSEC Key Master:
#
Ricardo Mendes via FreeIPA-users wrote:
> Hello again Rob,
>
> I really would like to express my appreciation for the feedback you've
> been giving and trying to help man really amazing!
>
> I have detailed some of the issues I'm going through now here:
>
Hello again Rob,
I really would like to express my appreciation for the feedback you've
been giving and trying to help man really amazing!
I have detailed some of the issues I'm going through now here:
Ricardo Mendes wrote:
> Hi Rob,
>
> Thank you for all your help so far I haven't write back before, I've
> been swamped.
> Ok so I was going kinda crazy about the lost access to ldap. In the
> meanwhile we got developments on the server that had the freeipa replica
> and this is back up.
> So now
Hi Rob,
Thank you for all your help so far I haven't write back before, I've
been swamped.
Ok so I was going kinda crazy about the lost access to ldap. In the
meanwhile we got developments on the server that had the freeipa replica
and this is back up.
So now I have this:
- Master is
Ricardo Mendes wrote:
> Hi Rob once again many thanks for helping!
>
>> My guess is that the LE CA certificates are not trusted by the NSS
>> database that dogtag uses. Assuming you've added those CA certificates
>> to IPA using ipa-cacert-manage install then running ipa-certupdate
>> should fix
Hi Rob once again many thanks for helping!
My guess is that the LE CA certificates are not trusted by the NSS
database that dogtag uses. Assuming you've added those CA certificates
to IPA using ipa-cacert-manage install then running ipa-certupdate
should fix things for you.
rob
I think the
Ricardo Mendes wrote:
> You're totally right. I feel dumb.
>
> Ok so I did the following:
>
> I edited the renew-le.sh and replaced the cert name but the line that
> adds the cert again
> "certutil -A -d ... -n Server-Cert"
>
> Edited /etc/httpd/conf.d/nss.conf and changed the NSSNickname
>
>
You're totally right. I feel dumb.
Ok so I did the following:
I edited the renew-le.sh and replaced the cert name but the line that
adds the cert again
"certutil -A -d ... -n Server-Cert"
Edited /etc/httpd/conf.d/nss.conf and changed the NSSNickname
But I still can't start pki-tomcatd:
#
Ricardo Mendes wrote:
> Hi Rob thanks for your message.
>
>> Right the cert nickname is CN=main.domain.io. I'm assuming you manually
> installed the LE certs originally using ipa-server-certinstall right?
>> That doesn't follow the pattern of using Server-Cert for the nickname by
> default.
>
>
Hi Rob thanks for your message.
Right the cert nickname is CN=main.domain.io. I'm assuming you manually
installed the LE certs originally using ipa-server-certinstall right?
That doesn't follow the pattern of using Server-Cert for the nickname by
default.
Iirc I used the
Ricardo Mendes via FreeIPA-users wrote:
>>I think you need to see what certs and keys are in /etc/httpd/alias.
>> Sounds like there is no Server-Cert nickname.
>
> certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
> certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
>
Hi Florence,
Thank you for your reply.
Rob had pointed me on that direction but now when I try to run the
setup-le script with that version I get the following error:
1.
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
2.
ipalib.backend: DEBUG: Destroyed connection
Ricardo Mendes via FreeIPA-users wrote:
> Ok so I don't know what happened the server really did take a long time to
> come up but it did.
>
> Everything looks pretty much the same. The setup-le.sh command I ran that
> said
>
>> The ipa-certupdate command was successful
>
> But I can't see
Ricardo Mendes wrote:
> Hi Rob,
>
> Again thanks for your reply. So I got went to the commit that lasted
> from 2017 and re-ran setup-le.sh
> Output is here:
>
> https://pastebin.com/JAaD4R21
>
> In the end I get this error:
>
> ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
>
Hi Rob,
Again thanks for your reply. So I got went to the commit that lasted from 2017
and re-ran setup-le.sh
Output is here:
https://pastebin.com/JAaD4R21
In the end I get this error:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection
On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote:
Hi Rob,
Thanks a lot for your reply.
It's because you are in the middle of an upgrade. You can add
--skip-version-check to not do the upgrade until after the certs are renewed.
Amazing! So I turned back the clock and:
# ipactl
>I think you need to see what certs and keys are in /etc/httpd/alias.
> Sounds like there is no Server-Cert nickname.
certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
This is the output, and I'm adding getcert list
Ok so I don't know what happened the server really did take a long time to come
up but it did.
Everything looks pretty much the same. The setup-le.sh command I ran that said
> The ipa-certupdate command was successful
But I can't see it. I have to start ipa services with
Hi Rob,
Thanks a lot for your reply.
> It's because you are in the middle of an upgrade. You can add
> --skip-version-check to not do the upgrade until after the certs are renewed.
Amazing! So I turned back the clock and:
# ipactl restart --ignore-service-failure --skip-version-check
Skipping
Ricardo Mendes via FreeIPA-users wrote:
> Hi Florence,
>
> Thank you so much for your reply.
>
> I have some questions regarding your instructions.
>
> 1. ipactl start --ignore-service-failures doesn't work, it leaves most
> services down and I must use systemctl to bring them up.
>
> # sudo
Hi Florence,
Thank you so much for your reply.
I have some questions regarding your instructions.
1. ipactl start --ignore-service-failures doesn't work, it leaves most services
down and I must use systemctl to bring them up.
# sudo ipactl restart --ignore-service-failures
IPA version error:
On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote:
# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca
# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca
25 matches
Mail list logo