Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
On 04/28/2017 03:50 AM, Dewangga Bachrul Alam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote: On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello! Master IPA Server: - I install 1 (one) server as master (self-signed) and add/modify using external CA. - I am using ipa-cacert-manage install then ipa-certupdate on master Hi, I think I got you wrong... Do you mean that you installed IPA with an integrated IdM CA which was self-signed, then your intent was to move to integrated IdM CA externally signed? In this case, the right command would be ipa-cacert-manage renew --external-ca, and the procedure is described in "Changing the certificate chain" [1]. Ah thanks for your corrections and information, then what should I do? Should I run ipa-cacert-manage renew --external-ca ? Yes, this is the way to go, documented here [1]. This is a 2-step process: when the command is run, it will create a CSR that needs to be signed by an external CA. Then the command must be re-launched with the new certificate delivered by the CA. Also do not forget to run ipa-certupdate on the master and all the replicas/clients. Flo. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext The command ipa-cacert-manage install does not replace the integrated IdM CA but adds the certificate as a known CA. Hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce rt-chaining.html Replica IPA Server: - I install 1 (one) server as client and promoted to ipa-replica: - I run `ipa-client-install` and autodiscovery - Then `ipa-replica-install --principal admin --admin-password ` I've hit ipa-certupdate -v to verbose the logs (attached at first email). Then replica server aren't using external CA(s) like master did. So, I did the same like master, using `ipa-cacert-manage` on replica, and it's work fine. If it's normal, then thanks for clarifying this. On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: Hi, As your email refers to self-signed and signed CA certificate, can you please clarify the exact steps that you followed? It looks like - you first installed FreeIPA with a self-signed CA - you added an external CA (did you use ipa-cacert-manage install on 1 server then ipa-certupdate on all replicas?) - you replaced the httpd/LDAP certificates with a cert signed from the external CA (you probably ran ipa-server-certinstall on one server). In this case it is normal that the httpd/LDAP certificates on the replica were not updated as they are different (each IPA server has his own httpd/LDAP cert which contains the hostname in its subject). You can check this by performing on each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" ^ If the goal is to replace the httpd/LDAP certificates on the replica, the command ipa-server-certinstall must also be run on the replica with the appropriate certificate. HTH, Flo. On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! Just update, manually add external CA(s) and signed certificated was successful, but why it's didn't automatically transferred to replica(s) from master. On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: Hello! I've successfully create replica, everything works fine but why my signed CA certificate didn't automatically transfer to another replica(s)? Is it normal? Trying to add manually, but the certificate in replica(s) still using self-signed. Here's the output from `ipa-certupdate -v` https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U NdI GYh yR LivL9gydE= Interesting line was : ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not found FYI: The replica server previously was a client and promoted to be a replica by hitting this command: `ipa-replica-install --principal admin --admin-password admin_password` Any hints? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO 1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote: > On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello! > > Master IPA Server: - I install 1 (one) server as master > (self-signed) and add/modify using external CA. - I am using > ipa-cacert-manage install then ipa-certupdate on master > >> Hi, > >> I think I got you wrong... Do you mean that you installed IPA >> with an integrated IdM CA which was self-signed, then your intent >> was to move to integrated IdM CA externally signed? In this case, >> the right command would be ipa-cacert-manage renew --external-ca, >> and the procedure is described in "Changing the certificate >> chain" [1]. Ah thanks for your corrections and information, then what should I do? Should I run ipa-cacert-manage renew --external-ca ? > >> The command ipa-cacert-manage install does not replace the >> integrated IdM CA but adds the certificate as a known CA. > >> Hope this clarifies, Flo > >> [1] >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce rt-chaining.html > >> > > Replica IPA Server: - I install 1 (one) server as client and > promoted to ipa-replica: - I run `ipa-client-install` and > autodiscovery - Then `ipa-replica-install --principal admin > --admin-password ` > > I've hit ipa-certupdate -v to verbose the logs (attached at first > email). Then replica server aren't using external CA(s) like master > did. > > So, I did the same like master, using `ipa-cacert-manage` on > replica, and it's work fine. If it's normal, then thanks for > clarifying this. > > On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: Hi, As your email refers to self-signed and signed CA certificate, can you please clarify the exact steps that you followed? It looks like - you first installed FreeIPA with a self-signed CA - you added an external CA (did you use ipa-cacert-manage install on 1 server then ipa-certupdate on all replicas?) - you replaced the httpd/LDAP certificates with a cert signed from the external CA (you probably ran ipa-server-certinstall on one server). In this case it is normal that the httpd/LDAP certificates on the replica were not updated as they are different (each IPA server has his own httpd/LDAP cert which contains the hostname in its subject). You can check this by performing on each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" ^ If the goal is to replace the httpd/LDAP certificates on the replica, the command ipa-server-certinstall must also be run on the replica with the appropriate certificate. HTH, Flo. On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! Just update, manually add external CA(s) and signed certificated was successful, but why it's didn't automatically transferred to replica(s) from master. On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> I've successfully create replica, everything works fine >>> but why my signed CA certificate didn't automatically >>> transfer to another replica(s)? Is it normal? >>> >>> Trying to add manually, but the certificate in >>> replica(s) still using self-signed. Here's the output >>> from `ipa-certupdate -v` >>> https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U NdI > >>> GYh >>> > yR >>> >>> LivL9gydE= >>> >>> Interesting line was : >>> >>> ipa: DEBUG: stderr= ipa: DEBUG: Starting external >>> process ipa: DEBUG: args=/usr/bin/certutil -d >>> /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process >>> finished, return code=255 ipa: DEBUG: stdout= ipa: >>> DEBUG: stderr=certutil: Could not find cert: IPA CA : >>> PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> ipa: DEBUG: Starting external process ipa: DEBUG: >>> args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External >>> CA cert -a ipa: DEBUG: Process finished, return >>> code=255 ipa: DEBUG: stdout= ipa: DEBUG: >>> stderr=certutil: Could not find cert: External CA cert >>> : PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> FYI: The replica server previously was a client and >>> promoted to be a replica by hitting this command: >>> `ipa-replica-install --principal admin >>> --admin-password admin_password` >>> >>> Any hints? >>> > >> > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO 1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Master IPA Server: - - I install 1 (one) server as master (self-signed) and add/modify using external CA. - - I am using ipa-cacert-manage install then ipa-certupdate on master Hi, I think I got you wrong... Do you mean that you installed IPA with an integrated IdM CA which was self-signed, then your intent was to move to integrated IdM CA externally signed? In this case, the right command would be ipa-cacert-manage renew --external-ca, and the procedure is described in "Changing the certificate chain" [1]. The command ipa-cacert-manage install does not replace the integrated IdM CA but adds the certificate as a known CA. Hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html Replica IPA Server: - - I install 1 (one) server as client and promoted to ipa-replica: - I run `ipa-client-install` and autodiscovery - Then `ipa-replica-install --principal admin --admin-password ` I've hit ipa-certupdate -v to verbose the logs (attached at first email). Then replica server aren't using external CA(s) like master did. So, I did the same like master, using `ipa-cacert-manage` on replica, and it's work fine. If it's normal, then thanks for clarifying this. On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: Hi, As your email refers to self-signed and signed CA certificate, can you please clarify the exact steps that you followed? It looks like - you first installed FreeIPA with a self-signed CA - you added an external CA (did you use ipa-cacert-manage install on 1 server then ipa-certupdate on all replicas?) - you replaced the httpd/LDAP certificates with a cert signed from the external CA (you probably ran ipa-server-certinstall on one server). In this case it is normal that the httpd/LDAP certificates on the replica were not updated as they are different (each IPA server has his own httpd/LDAP cert which contains the hostname in its subject). You can check this by performing on each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" ^ If the goal is to replace the httpd/LDAP certificates on the replica, the command ipa-server-certinstall must also be run on the replica with the appropriate certificate. HTH, Flo. On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! Just update, manually add external CA(s) and signed certificated was successful, but why it's didn't automatically transferred to replica(s) from master. On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: Hello! I've successfully create replica, everything works fine but why my signed CA certificate didn't automatically transfer to another replica(s)? Is it normal? Trying to add manually, but the certificate in replica(s) still using self-signed. Here's the output from `ipa-certupdate -v` https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI GYh yR LivL9gydE= Interesting line was : ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not found FYI: The replica server previously was a client and promoted to be a replica by hitting this command: `ipa-replica-install --principal admin --admin-password admin_password` Any hints? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73 DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z 3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N 8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA== =07Ri -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the
Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Master IPA Server: - - I install 1 (one) server as master (self-signed) and add/modify using external CA. - - I am using ipa-cacert-manage install then ipa-certupdate on master Replica IPA Server: - - I install 1 (one) server as client and promoted to ipa-replica: - I run `ipa-client-install` and autodiscovery - Then `ipa-replica-install --principal admin --admin-password ` I've hit ipa-certupdate -v to verbose the logs (attached at first email). Then replica server aren't using external CA(s) like master did. So, I did the same like master, using `ipa-cacert-manage` on replica, and it's work fine. If it's normal, then thanks for clarifying this. On 04/25/2017 02:52 PM, Florence Blanc-Renaud wrote: > Hi, > > As your email refers to self-signed and signed CA certificate, can > you please clarify the exact steps that you followed? It looks > like - you first installed FreeIPA with a self-signed CA - you > added an external CA (did you use ipa-cacert-manage install on 1 > server then ipa-certupdate on all replicas?) - you replaced the > httpd/LDAP certificates with a cert signed from the external CA > (you probably ran ipa-server-certinstall on one server). > > In this case it is normal that the httpd/LDAP certificates on the > replica were not updated as they are different (each IPA server has > his own httpd/LDAP cert which contains the hostname in its > subject). You can check this by performing on each server: > ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | > grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" > ^ > > If the goal is to replace the httpd/LDAP certificates on the > replica, the command ipa-server-certinstall must also be run on the > replica with the appropriate certificate. > > HTH, Flo. > > On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! > > Just update, manually add external CA(s) and signed certificated > was successful, but why it's didn't automatically transferred to > replica(s) from master. > > On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: Hello! I've successfully create replica, everything works fine but why my signed CA certificate didn't automatically transfer to another replica(s)? Is it normal? Trying to add manually, but the certificate in replica(s) still using self-signed. Here's the output from `ipa-certupdate -v` https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI GYh > yR > LivL9gydE= Interesting line was : ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not found FYI: The replica server previously was a client and promoted to be a replica by hitting this command: `ipa-replica-install --principal admin --admin-password admin_password` Any hints? >> > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73 DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z 3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N 8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA== =07Ri -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
Hi, As your email refers to self-signed and signed CA certificate, can you please clarify the exact steps that you followed? It looks like - you first installed FreeIPA with a self-signed CA - you added an external CA (did you use ipa-cacert-manage install on 1 server then ipa-certupdate on all replicas?) - you replaced the httpd/LDAP certificates with a cert signed from the external CA (you probably ran ipa-server-certinstall on one server). In this case it is normal that the httpd/LDAP certificates on the replica were not updated as they are different (each IPA server has his own httpd/LDAP cert which contains the hostname in its subject). You can check this by performing on each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM" ^ If the goal is to replace the httpd/LDAP certificates on the replica, the command ipa-server-certinstall must also be run on the replica with the appropriate certificate. HTH, Flo. On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Just update, manually add external CA(s) and signed certificated was successful, but why it's didn't automatically transferred to replica(s) from master. On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: Hello! I've successfully create replica, everything works fine but why my signed CA certificate didn't automatically transfer to another replica(s)? Is it normal? Trying to add manually, but the certificate in replica(s) still using self-signed. Here's the output from `ipa-certupdate -v` https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdIGYh yR LivL9gydE= Interesting line was : ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not found FYI: The replica server previously was a client and promoted to be a replica by hitting this command: `ipa-replica-install --principal admin --admin-password admin_password` Any hints? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI4BAEBCAAiBQJY+xccGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcJAHEACO4nF7guN05MjmqYFDwDrjhvWgMN2sRn+Nxt/aA+xziIOJJGaA Rr97TbODiTiefBkjVoiYM6dxr6VK5ViPZIbe0IAjafCRACAKggyCRtb2j8+vb7Jd imJN/MC0zSMCdATSs2b95uT7QrUiVHwt/xmKzJ44ezIYON+YOtgndk0QXynXHqjm H6HcQkh4ZcC8antiFdbC+H8z4Iv4Ypnhdr80RtqLqQ6esnZXnWdIg3X0aRb6w1fw KEDHemhfKeu5hMxpi2AQdesO4j+XhvW6TfvKymScbWv1PoEuLAsgQGdoxVmhkjN8 LKixSghHlg8A61DXtA9J2uaPUUKjVMmoKH4CFD0RLQlQJ+f4KfApbNzHZTBnSL8D 64c5WjJdtAY5LUArakwZ/EJt5N5AJEFDIoSWM3if/jpDIVFEAaDzFKIQvyLKyMIn yHxNIcWcSoP/YwzZXMttWx5dNRkermmWEcvPsqovoT9BRlI/e700o3xqQk7V0720 7TniU1uZaBpLkJOxHUoWssaWfVHcWEBnw0UeU7bl4nKnAo7hkQs3/iJXwQiLk4aw 338ZIniIrDSmUmmfqJuhQrFPNK+heCOno5O/99Sa1bs0lTQgRRjMq5Q7mIajEYYI NedyVj0VQ8R42rbgomWJPJP/uU+kirN8CpEc+d/IWNQE2t+5hOX5nme5dw== =anzk -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Just update, manually add external CA(s) and signed certificated was successful, but why it's didn't automatically transferred to replica(s) from master. On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: > Hello! > > I've successfully create replica, everything works fine but why my > signed CA certificate didn't automatically transfer to another > replica(s)? Is it normal? > > Trying to add manually, but the certificate in replica(s) still > using self-signed. Here's the output from `ipa-certupdate -v` > https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdIGYh yR > > LivL9gydE= > > Interesting line was : > > ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: > DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a > ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= > ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : > PR_FILE_NOT_FOUND_ERROR: File not found > > ipa: DEBUG: Starting external process ipa: DEBUG: > args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a > ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= > ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert > : PR_FILE_NOT_FOUND_ERROR: File not found > > FYI: The replica server previously was a client and promoted to be > a replica by hitting this command: `ipa-replica-install > --principal admin --admin-password admin_password` > > Any hints? > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI4BAEBCAAiBQJY+xccGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcJAHEACO4nF7guN05MjmqYFDwDrjhvWgMN2sRn+Nxt/aA+xziIOJJGaA Rr97TbODiTiefBkjVoiYM6dxr6VK5ViPZIbe0IAjafCRACAKggyCRtb2j8+vb7Jd imJN/MC0zSMCdATSs2b95uT7QrUiVHwt/xmKzJ44ezIYON+YOtgndk0QXynXHqjm H6HcQkh4ZcC8antiFdbC+H8z4Iv4Ypnhdr80RtqLqQ6esnZXnWdIg3X0aRb6w1fw KEDHemhfKeu5hMxpi2AQdesO4j+XhvW6TfvKymScbWv1PoEuLAsgQGdoxVmhkjN8 LKixSghHlg8A61DXtA9J2uaPUUKjVMmoKH4CFD0RLQlQJ+f4KfApbNzHZTBnSL8D 64c5WjJdtAY5LUArakwZ/EJt5N5AJEFDIoSWM3if/jpDIVFEAaDzFKIQvyLKyMIn yHxNIcWcSoP/YwzZXMttWx5dNRkermmWEcvPsqovoT9BRlI/e700o3xqQk7V0720 7TniU1uZaBpLkJOxHUoWssaWfVHcWEBnw0UeU7bl4nKnAo7hkQs3/iJXwQiLk4aw 338ZIniIrDSmUmmfqJuhQrFPNK+heCOno5O/99Sa1bs0lTQgRRjMq5Q7mIajEYYI NedyVj0VQ8R42rbgomWJPJP/uU+kirN8CpEc+d/IWNQE2t+5hOX5nme5dw== =anzk -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project