[Freeipa-users] Re: backup / restore

Bonjour, Thank you Rob and Florence for your help It looks it looks difficult to switch to internal CA, hopefully with some help it seems easier to setup another exernal CA Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole

[Freeipa-users] Re: backup / restore

Frederic Ayrault wrote: > Bonjour, > > Le 18/10/2023 à 19:43, Rob Crittenden via FreeIPA-users a écrit : >> # getcert request -d /etc/httpd/alias -n Server-Cert -p >> /etc/httpd/alias/pwdfile.txt -D -K HTTP/ -C >> /usr/libexec/ipa/certmonger/restart_httpd -v -w >> > > This command does not work

[Freeipa-users] Re: backup / restore

Bonjour, Le 18/10/2023 à 16:57, Florence Blanc-Renaud via FreeIPA-users a écrit : Hi, The process is documented in https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/replace-http-ldap-cert#doc-wrapper You

[Freeipa-users] Re: backup / restore

Bonjour, Le 18/10/2023 à 19:43, Rob Crittenden via FreeIPA-users a écrit : # getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -D -K HTTP/ -C /usr/libexec/ipa/certmonger/restart_httpd -v -w This command does not work New signing request "20231020100840"

[Freeipa-users] Re: backup / restore

Bonsoir Le 18/10/2023 à 19:43, Rob Crittenden via FreeIPA-users a écrit : Right, so ipa-ca-install did effectively replace the old CA, but you're not done yet. As Flo points out, the HTTP and 389-ds (and who knows about PKINIT) certs were issued by a 3rd party. At this point in the thread I

[Freeipa-users] Re: backup / restore

Florence Blanc-Renaud wrote: > Hi, > > On Wed, Oct 18, 2023 at 4:11 PM Frederic Ayrault > mailto:f...@lix.polytechnique.fr>> wrote: > > Bonjour, > > Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : >> Hi, >> >> >> CNRS2 and CNRS2-Standard are part of the CA chain that

[Freeipa-users] Re: backup / restore

Hi, On Wed, Oct 18, 2023 at 4:11 PM Frederic Ayrault wrote: > Bonjour, > > Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : > > Hi, > > > CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP > and LDAP server certificates, they should not be removed. > When you install

[Freeipa-users] Re: backup / restore

Bonjour, Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : Hi, CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP and LDAP server certificates, they should not be removed. When you install a new embedded IPA CA, it doesn't replace the existing HTTP and LDAP server

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 17, 2023 at 5:47 PM Frederic Ayrault wrote: > > Le 17/10/2023 à 17:23, Rob Crittenden a écrit : > > So if I've followed this thread correctly, what you're doing is: > > - Taking replica ipa3? and forcibly disconnecting it from an existing > > IPA installation > > This is just

[Freeipa-users] Re: backup / restore

Le 17/10/2023 à 17:23, Rob Crittenden a écrit : So if I've followed this thread correctly, what you're doing is: - Taking replica ipa3? and forcibly disconnecting it from an existing IPA installation This is just because my IPA is in production so I removed ipa3 for the tests - Trying to

[Freeipa-users] Re: backup / restore

Frederic Ayrault wrote: > Bonjour, > > Le 16/10/2023 à 21:13, Frederic Ayrault a écrit : >> Bonsoir, >> >> >> Le 13/10/2023 à 22:20, Rob Crittenden via FreeIPA-users a écrit : >>> Frederic Ayrault via FreeIPA-users wrote: > Done configuring certificate server (pki-tomcatd). >

[Freeipa-users] Re: backup / restore

Bonjour, Le 16/10/2023 à 21:13, Frederic Ayrault a écrit : Bonsoir, Le 13/10/2023 à 22:20, Rob Crittenden via FreeIPA-users a écrit : Frederic Ayrault via FreeIPA-users wrote: Done configuring certificate server (pki-tomcatd). ipaclient.install.ipa_certupdate: ERROR    failed to update

[Freeipa-users] Re: backup / restore

Bonsoir, Le 13/10/2023 à 22:20, Rob Crittenden via FreeIPA-users a écrit : Frederic Ayrault via FreeIPA-users wrote: Done configuring certificate server (pki-tomcatd). ipaclient.install.ipa_certupdate: ERROR    failed to update LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias: Command

[Freeipa-users] Re: backup / restore

Frederic Ayrault via FreeIPA-users wrote: > I think I removed too much certs, with CNRS2 certs in > /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR, > ipa-ca-install works better but I still have an error at the end > >> Done configuring certificate server (pki-tomcatd). >>

[Freeipa-users] Re: backup / restore

I think I removed too much certs, with CNRS2 certs in /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR, ipa-ca-install works better but I still have an error at the end Done configuring certificate server (pki-tomcatd). ipaclient.install.ipa_certupdate: ERROR    failed to update LIX.POLYTECHNIQUE.FR

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 6:24 PM Frederic Ayrault wrote: > > Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit : > > Hi, > > The CA installation fails because it finds an existing entry in "cn= > LIX.POLYTECHNIQUE.FR IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr".

[Freeipa-users] Re: backup / restore

Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit : Hi, The CA installation fails because it finds an existing entry in "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault wrote: > Just in case here are the logs after going in the authentification menu in > the GUI > ( I get on Erreur IPA 903: InternalError ) when trying to get certificats > informations > > in the server roles, CA server is now configured > >

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault wrote: > > Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit : > > Hi, > > > > > > > > If I recap everything so far: > > - there is a single server, ipa3.lix.polytechnique.fr > > It was part of a cluster but it is removed for the tests >

[Freeipa-users] Re: backup / restore

Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit : Hi, If I recap everything so far: - there is a single server, ipa3.lix.polytechnique.fr It was part of a cluster but it is removed for the tests - it was installed CA-less, with http and ldap certificates issued by an external CA

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 9:58 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour, > > Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > > So far it doesn't look like there was an IPA embedded CA signed by the > external intermediate

[Freeipa-users] Re: backup / restore

Bonjour, Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit : Hi, So far it doesn't look like there was an IPA embedded CA signed by the external intermediate CA. Can you check the HTTP and LDAP server certificates with certutil? I would like to check who issued them. Since it's IPA

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 10, 2023 at 9:26 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour Florence, > > Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit : > > The error is an LDAP error when adding an entry/attribute for the CA. Can > you check in

[Freeipa-users] Re: backup / restore

Bonjour Florence, Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit : The error is an LDAP error when adding an entry/attribute for the CA. Can you check in /var/log/dirsrv/slapd-/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 5:30 PM Frederic Ayrault wrote: > > Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit : > > Is this your external CA? I assume that its subject conflicts with the > default subject name that IPA installer would pick. If that's the case, you > can force

[Freeipa-users] Re: backup / restore

Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit : Is this your external CA? I assume that its subject conflicts with the default subject name that IPA installer would pick. If that's the case, you can force ipa-ca-install to use a different subject name with the --ca-subject option.

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 10:22 AM Frederic Ayrault wrote: > Bonjour, > > Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Bonjour, >> >> When I run the

[Freeipa-users] Re: backup / restore

Bonjour, Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit : Hi, On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users > wrote: Bonjour, When I run the command, I get this message CA is not configured on this system

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour, > > When I run the command, I get this message > > CA is not configured on this system > The ipa-cacert-manage command failed. > > > "replace our external CA to an

[Freeipa-users] Re: backup / restore

Bonjour, When I run the command, I get this message CA is not configured on this system The ipa-cacert-manage command failed. Thank you Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique

[Freeipa-users] Re: backup / restore

Hello, What procedure did you follow to renew your CA from external to self-signed. Please look at the this doc https://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-management-utility $ ipa-cacert-manage renew --self-signed Above command should renew CA to self-signed On

[Freeipa-users] Re: backup & restore - 4.9.11 -> 4.10.1

On Fri, Mar 17, 2023 at 3:07 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > lejeczek via FreeIPA-users wrote: > > Hi guys. > > > > I'm trying to migrate IPA from Centos 8 over to Centos 9 but I fail. > > If the path I try is supported & should work then,

[Freeipa-users] Re: backup & restore - 4.9.11 -> 4.10.1

lejeczek via FreeIPA-users wrote: > Hi guys. > > I'm trying to migrate IPA from Centos 8 over to Centos 9 but I fail. > If the path I try is supported & should work then, first, 'restore' > failed with: > ... > Restoring umask to 18 > CalledProcessError(Command ['/usr/sbin/ipactl', 'start']