antonelli@cnaf wrote:
Hi Rob, Freeipas
>>> Is there a way to bypass this?
>>
>> Go back in time as you tried.
>>
>>> I've tried to set a date on the server previous than the expiring
one of
>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
>>
>> I guess make sure that your time daemon, if any, is stopped.
I managed to install new certs on ipa server setting date back in time;
now on the other two server I still get the error "Insufficient access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Credential cache is empty)" (ntpd
daemon stopped)
Getting it where? I assume you did a kinit after resetting time?
Could it be useful to remove the other two nodes from topology (e.g.
with ipa-replica-manage re-initialize --from good-ipa-server)?
This only affects the IPA data, not the certificates used by those
servers so it wouldn't help.
rob
thank you
regards
Stefano
On 7/28/22 22:21, stefano.antonelli@cnaf via FreeIPA-users wrote:
> Hi Rob
>
> thank you for your answer
>
>> Why are you running this command? Did you change the CA at the same
>> time? If not then ipa-server-certinstall is what you want.
>
> yes, now it's Comodo
>
> I've tried ipa-server-certinstall too but I get "The full certificate
> chain is not present in ../path/my.key, ../path/my.cer The
> ipa-server-certinstall command failed."
>
> Should I try to create a chain certificate/root_ca is there a
> particular order e.g. root/other_ca/cert or cert/root/other_ca?
>
>>> Is there a way to bypass this?
>>
>> Go back in time as you tried.
>>
>>> I've tried to set a date on the server previous than the expiring
>>> one of
>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin
>>> ticket).
>>
>> I guess make sure that your time daemon, if any, is stopped.
>
> perhaps I'll try again stopping ntpd
>
> thank you
> regards
> Stefano
>
>
> Il 2022-07-28 21:28 Rob Crittenden ha scritto:
>> stefano.antonelli@cnaf via FreeIPA-users wrote:
>>> Dear All
>>>
>>> we have a three nodes FreeIPA 4.6.8 installation with third part
>>> certificate (https / dirsrv). This certificate has expired and when I
>>> try to follow the
>>>
>>> ipa-cacert-manage install ...
>>> ipa-certupdate I get the error: "cannot connect to
>>>
https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED]
>>> certificate verify failed (_ssl.c:618)"
>>
>> Why are you running this command? Did you change the CA at the same
>> time? If not then ipa-server-certinstall is what you want.
>>
>>> I suppose that this is due to the fact that https connection is blocked
>>> for expired certificate which I can't renew.
>>
>> Yep.
>>
>>
>>> Is there a way to bypass this?
>>
>> Go back in time as you tried.
>>
>>> I've tried to set a date on the server previous than the expiring
>>> one of
>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin
>>> ticket).
>>
>> I guess make sure that your time daemon, if any, is stopped.
>>
>>> I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with new
>>> cert/key but I don't know how
>>
>> Theoretically possible but ipa-server-certinstall should handle it for
>> you. Manual is prone to error.
>>
>> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure