Re: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch
Can somebody help us how to move ahead with this issue? It seems like nobody is picking this up? Kind Regards, David 2016-10-26 13:43 GMT+02:00 David Dejaeghere : > Does anybody have a clue on how to continue with this? > > Kind Regards, > > David > > 2016-10-24 10:10 GMT+02:00 David Dejaeghere : > >> These are both the subjects for the old and new root ca cert. >> >> Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local" >> Subject Public Key Info: >> Public Key Algorithm: PKCS #1 RSA Encryption >> RSA Public Key: >> Modulus: >> d5:51:19:a0:7e:2f:b6:4b:cb:71:42:cb:38:bc:50:0a: >> 18:16:58:07:11:c6:d3:ea:66:91:a8:52:02:54:93:28: >> 78:a1:89:36:7a:0f:1e:2a:35:8a:da:85:05:c4:fe:de: >> e8:6a:e8:fd:1b:89:44:8f:8c:62:d6:56:f7:9e:16:d5: >> fd:b4:44:65:71:4f:1a:7d:d6:28:2d:5e:ad:c9:da:60: >> 54:98:02:87:d9:43:62:ab:1b:93:c1:af:0b:b9:80:2e: >> 08:f0:65:46:bf:de:78:c5:d2:19:b8:07:52:d6:01:ab: >> d0:b2:7d:0a:7f:9f:fa:e8:8c:55:86:e0:d3:d5:ef:e7: >> ad:6a:12:a2:b8:75:be:93:c2:05:df:99:a9:d8:a2:cc: >> 7c:2b:49:d6:a3:65:0c:c8:ef:c3:a4:b6:f6:86:1d:c2: >> 56:56:1b:0d:70:7a:67:15:49:2f:b7:92:8e:2a:94:57: >> 53:26:ef:9a:af:89:fe:cb:1e:e7:ac:72:9a:cd:b4:22: >> b1:22:02:fd:95:23:e0:65:d0:36:e8:e1:88:2b:35:02: >> 99:1c:ee:84:10:80:84:a8:e5:61:04:6b:a3:6b:da:c5: >> 49:36:ef:f6:48:09:2c:0d:7c:b2:52:4f:a6:72:cc:e6: >> 30:b5:dd:a0:5b:0e:96:49:78:9d:1e:27:4e:02:40:a1 >> Exponent: 65537 (0x10001) >> >> Subject: DC=local, DC=tokio, CN=tokio-PAPRIKA-CA >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (2048 bit) >> Modulus: >> 00:ae:32:35:fa:b5:f4:2d:b8:0c:c3:d9:b0:9f:a8: >> 5d:21:90:58:a9:79:79:7d:85:7e:f1:f2:36:9d:ef: >> 9f:8c:a8:3a:bf:57:5c:2e:6b:5d:2e:91:ba:c6:b7: >> b2:b1:dd:45:de:e6:d4:fe:01:f4:d2:bd:99:9f:9a: >> 71:1d:d4:e4:a7:cd:9e:f3:36:a7:a0:73:55:6b:04: >> 66:ab:c3:63:b3:41:06:ac:c8:c8:3a:4c:eb:83:78: >> 6e:e8:b6:0f:94:fa:a8:7e:7d:89:44:d1:bd:be:14: >> df:0c:ce:4d:b4:e6:0a:e2:d7:84:95:4b:a1:3e:53: >> c9:04:3f:7b:de:1b:fd:7b:b5:b0:69:3b:f9:f2:b5: >> a7:fe:6d:9d:62:6e:9a:fc:1e:32:69:ad:4c:ae:e3: >> 61:dd:92:99:34:4b:bf:6b:02:88:18:88:a2:0f:ca: >> e8:6e:91:f0:e6:2e:4d:83:f6:05:7e:ed:f2:f1:3e: >> b2:36:3f:de:3f:db:93:73:5b:60:ee:8c:48:e0:c0: >> 4c:0e:6a:63:1a:16:af:9e:28:93:40:39:23:bf:d0: >> 77:9c:b7:80:d3:c3:42:d8:27:db:d7:4b:e5:3f:b4: >> d2:ad:57:c2:01:73:c8:45:26:f1:00:93:50:3e:cf: >> 7a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8: >> 09:1d >> Exponent: 65537 (0x10001) >> >> 2016-10-24 5:49 GMT+02:00 Fil Di Noto : >> >>> Hi, >>> >>> Can you give an example of what's different between the two subjects? >>> >>> On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < >>> david.dejaegh...@gmail.com> wrote: >>> Does somebody have an idea how to replace our certificates when the new ROOT ca certificate has a different subject? The UI is down because of this. 2016-10-19 11:42 GMT+02:00 David Dejaeghere >>> >: > Hello, > > When installing FreeIPA we used the CA from our Windows servers. > This one recently expired and we created a new one. It seems that the > new root CA has another subject name and this seems to be an issue when we > want to install new certs on our FreeIPA hosts. > > ipa-cacert-manage install certnew.pem -n mycert -t C,, > > Installing CA certificate, please wait > Failed to install the certificate: subject public key info mismatch > > After validating the subjects are indeed different. > > How can we replace the required certs for dirsrv and http when the ca > is not installable? > > Kind Regards, > > David > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project >>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch
Does anybody have a clue on how to continue with this? Kind Regards, David 2016-10-24 10:10 GMT+02:00 David Dejaeghere : > These are both the subjects for the old and new root ca cert. > > Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > d5:51:19:a0:7e:2f:b6:4b:cb:71:42:cb:38:bc:50:0a: > 18:16:58:07:11:c6:d3:ea:66:91:a8:52:02:54:93:28: > 78:a1:89:36:7a:0f:1e:2a:35:8a:da:85:05:c4:fe:de: > e8:6a:e8:fd:1b:89:44:8f:8c:62:d6:56:f7:9e:16:d5: > fd:b4:44:65:71:4f:1a:7d:d6:28:2d:5e:ad:c9:da:60: > 54:98:02:87:d9:43:62:ab:1b:93:c1:af:0b:b9:80:2e: > 08:f0:65:46:bf:de:78:c5:d2:19:b8:07:52:d6:01:ab: > d0:b2:7d:0a:7f:9f:fa:e8:8c:55:86:e0:d3:d5:ef:e7: > ad:6a:12:a2:b8:75:be:93:c2:05:df:99:a9:d8:a2:cc: > 7c:2b:49:d6:a3:65:0c:c8:ef:c3:a4:b6:f6:86:1d:c2: > 56:56:1b:0d:70:7a:67:15:49:2f:b7:92:8e:2a:94:57: > 53:26:ef:9a:af:89:fe:cb:1e:e7:ac:72:9a:cd:b4:22: > b1:22:02:fd:95:23:e0:65:d0:36:e8:e1:88:2b:35:02: > 99:1c:ee:84:10:80:84:a8:e5:61:04:6b:a3:6b:da:c5: > 49:36:ef:f6:48:09:2c:0d:7c:b2:52:4f:a6:72:cc:e6: > 30:b5:dd:a0:5b:0e:96:49:78:9d:1e:27:4e:02:40:a1 > Exponent: 65537 (0x10001) > > Subject: DC=local, DC=tokio, CN=tokio-PAPRIKA-CA > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:ae:32:35:fa:b5:f4:2d:b8:0c:c3:d9:b0:9f:a8: > 5d:21:90:58:a9:79:79:7d:85:7e:f1:f2:36:9d:ef: > 9f:8c:a8:3a:bf:57:5c:2e:6b:5d:2e:91:ba:c6:b7: > b2:b1:dd:45:de:e6:d4:fe:01:f4:d2:bd:99:9f:9a: > 71:1d:d4:e4:a7:cd:9e:f3:36:a7:a0:73:55:6b:04: > 66:ab:c3:63:b3:41:06:ac:c8:c8:3a:4c:eb:83:78: > 6e:e8:b6:0f:94:fa:a8:7e:7d:89:44:d1:bd:be:14: > df:0c:ce:4d:b4:e6:0a:e2:d7:84:95:4b:a1:3e:53: > c9:04:3f:7b:de:1b:fd:7b:b5:b0:69:3b:f9:f2:b5: > a7:fe:6d:9d:62:6e:9a:fc:1e:32:69:ad:4c:ae:e3: > 61:dd:92:99:34:4b:bf:6b:02:88:18:88:a2:0f:ca: > e8:6e:91:f0:e6:2e:4d:83:f6:05:7e:ed:f2:f1:3e: > b2:36:3f:de:3f:db:93:73:5b:60:ee:8c:48:e0:c0: > 4c:0e:6a:63:1a:16:af:9e:28:93:40:39:23:bf:d0: > 77:9c:b7:80:d3:c3:42:d8:27:db:d7:4b:e5:3f:b4: > d2:ad:57:c2:01:73:c8:45:26:f1:00:93:50:3e:cf: > 7a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8: > 09:1d > Exponent: 65537 (0x10001) > > 2016-10-24 5:49 GMT+02:00 Fil Di Noto : > >> Hi, >> >> Can you give an example of what's different between the two subjects? >> >> On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < >> david.dejaegh...@gmail.com> wrote: >> >>> Does somebody have an idea how to replace our certificates when the new >>> ROOT ca certificate has a different subject? >>> The UI is down because of this. >>> >>> 2016-10-19 11:42 GMT+02:00 David Dejaeghere >>> : >>> Hello, When installing FreeIPA we used the CA from our Windows servers. This one recently expired and we created a new one. It seems that the new root CA has another subject name and this seems to be an issue when we want to install new certs on our FreeIPA hosts. ipa-cacert-manage install certnew.pem -n mycert -t C,, Installing CA certificate, please wait Failed to install the certificate: subject public key info mismatch After validating the subjects are indeed different. How can we replace the required certs for dirsrv and http when the ca is not installable? Kind Regards, David >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch
These are both the subjects for the old and new root ca cert. Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d5:51:19:a0:7e:2f:b6:4b:cb:71:42:cb:38:bc:50:0a: 18:16:58:07:11:c6:d3:ea:66:91:a8:52:02:54:93:28: 78:a1:89:36:7a:0f:1e:2a:35:8a:da:85:05:c4:fe:de: e8:6a:e8:fd:1b:89:44:8f:8c:62:d6:56:f7:9e:16:d5: fd:b4:44:65:71:4f:1a:7d:d6:28:2d:5e:ad:c9:da:60: 54:98:02:87:d9:43:62:ab:1b:93:c1:af:0b:b9:80:2e: 08:f0:65:46:bf:de:78:c5:d2:19:b8:07:52:d6:01:ab: d0:b2:7d:0a:7f:9f:fa:e8:8c:55:86:e0:d3:d5:ef:e7: ad:6a:12:a2:b8:75:be:93:c2:05:df:99:a9:d8:a2:cc: 7c:2b:49:d6:a3:65:0c:c8:ef:c3:a4:b6:f6:86:1d:c2: 56:56:1b:0d:70:7a:67:15:49:2f:b7:92:8e:2a:94:57: 53:26:ef:9a:af:89:fe:cb:1e:e7:ac:72:9a:cd:b4:22: b1:22:02:fd:95:23:e0:65:d0:36:e8:e1:88:2b:35:02: 99:1c:ee:84:10:80:84:a8:e5:61:04:6b:a3:6b:da:c5: 49:36:ef:f6:48:09:2c:0d:7c:b2:52:4f:a6:72:cc:e6: 30:b5:dd:a0:5b:0e:96:49:78:9d:1e:27:4e:02:40:a1 Exponent: 65537 (0x10001) Subject: DC=local, DC=tokio, CN=tokio-PAPRIKA-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ae:32:35:fa:b5:f4:2d:b8:0c:c3:d9:b0:9f:a8: 5d:21:90:58:a9:79:79:7d:85:7e:f1:f2:36:9d:ef: 9f:8c:a8:3a:bf:57:5c:2e:6b:5d:2e:91:ba:c6:b7: b2:b1:dd:45:de:e6:d4:fe:01:f4:d2:bd:99:9f:9a: 71:1d:d4:e4:a7:cd:9e:f3:36:a7:a0:73:55:6b:04: 66:ab:c3:63:b3:41:06:ac:c8:c8:3a:4c:eb:83:78: 6e:e8:b6:0f:94:fa:a8:7e:7d:89:44:d1:bd:be:14: df:0c:ce:4d:b4:e6:0a:e2:d7:84:95:4b:a1:3e:53: c9:04:3f:7b:de:1b:fd:7b:b5:b0:69:3b:f9:f2:b5: a7:fe:6d:9d:62:6e:9a:fc:1e:32:69:ad:4c:ae:e3: 61:dd:92:99:34:4b:bf:6b:02:88:18:88:a2:0f:ca: e8:6e:91:f0:e6:2e:4d:83:f6:05:7e:ed:f2:f1:3e: b2:36:3f:de:3f:db:93:73:5b:60:ee:8c:48:e0:c0: 4c:0e:6a:63:1a:16:af:9e:28:93:40:39:23:bf:d0: 77:9c:b7:80:d3:c3:42:d8:27:db:d7:4b:e5:3f:b4: d2:ad:57:c2:01:73:c8:45:26:f1:00:93:50:3e:cf: 7a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8: 09:1d Exponent: 65537 (0x10001) 2016-10-24 5:49 GMT+02:00 Fil Di Noto : > Hi, > > Can you give an example of what's different between the two subjects? > > On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < > david.dejaegh...@gmail.com> wrote: > >> Does somebody have an idea how to replace our certificates when the new >> ROOT ca certificate has a different subject? >> The UI is down because of this. >> >> 2016-10-19 11:42 GMT+02:00 David Dejaeghere : >> >>> Hello, >>> >>> When installing FreeIPA we used the CA from our Windows servers. >>> This one recently expired and we created a new one. It seems that the >>> new root CA has another subject name and this seems to be an issue when we >>> want to install new certs on our FreeIPA hosts. >>> >>> ipa-cacert-manage install certnew.pem -n mycert -t C,, >>> >>> Installing CA certificate, please wait >>> Failed to install the certificate: subject public key info mismatch >>> >>> After validating the subjects are indeed different. >>> >>> How can we replace the required certs for dirsrv and http when the ca is >>> not installable? >>> >>> Kind Regards, >>> >>> David >>> >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch
Hi, Can you give an example of what's different between the two subjects? On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < david.dejaegh...@gmail.com> wrote: > Does somebody have an idea how to replace our certificates when the new > ROOT ca certificate has a different subject? > The UI is down because of this. > > 2016-10-19 11:42 GMT+02:00 David Dejaeghere : > >> Hello, >> >> When installing FreeIPA we used the CA from our Windows servers. >> This one recently expired and we created a new one. It seems that the >> new root CA has another subject name and this seems to be an issue when we >> want to install new certs on our FreeIPA hosts. >> >> ipa-cacert-manage install certnew.pem -n mycert -t C,, >> >> Installing CA certificate, please wait >> Failed to install the certificate: subject public key info mismatch >> >> After validating the subjects are indeed different. >> >> How can we replace the required certs for dirsrv and http when the ca is >> not installable? >> >> Kind Regards, >> >> David >> >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch
Does somebody have an idea how to replace our certificates when the new ROOT ca certificate has a different subject? The UI is down because of this. 2016-10-19 11:42 GMT+02:00 David Dejaeghere : > Hello, > > When installing FreeIPA we used the CA from our Windows servers. > This one recently expired and we created a new one. It seems that the new > root CA has another subject name and this seems to be an issue when we want > to install new certs on our FreeIPA hosts. > > ipa-cacert-manage install certnew.pem -n mycert -t C,, > > Installing CA certificate, please wait > Failed to install the certificate: subject public key info mismatch > > After validating the subjects are indeed different. > > How can we replace the required certs for dirsrv and http when the ca is > not installable? > > Kind Regards, > > David > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch
Hello, When installing FreeIPA we used the CA from our Windows servers. This one recently expired and we created a new one. It seems that the new root CA has another subject name and this seems to be an issue when we want to install new certs on our FreeIPA hosts. ipa-cacert-manage install certnew.pem -n mycert -t C,, Installing CA certificate, please wait Failed to install the certificate: subject public key info mismatch After validating the subjects are indeed different. How can we replace the required certs for dirsrv and http when the ca is not installable? Kind Regards, David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project