9:46 a.m.
Hello,
I'm confused with my freeipa setup. Some details on the installation:
- I use freeipa on only one server since 2012 (basic install with a
self-signed certificate ... KO from then 2014).
- meanwhile (a few years) I made a migration to switch to a version of
freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. (the
old freeipav3 server has been destroyed for a long time)
- at this time CA autorithy been lost ... but hey I do not use this
feature in freeipa v4, I'm not too worried.
- I mainly use the ldap (user, group, host, hbac, automount etc), and
especially kerberos, and also winsync (trust AD etc ...)
- I never interressed at the party certificate.
- The HTTP and LDAP certificates of the server is signed via an external
authority not managed by freeipa.
Only here I wanted to add a 2nd server to replicate my single server
freeipa, to secure the system. And here the disaster begins for me ...
because the certificates block the process in all directions.
I'm considering several solutions:
- Solution 1 (my favorite if it's possible), that I started to try to do ...
remove the CA and restart from scratch on my master server before
starting to replicate.
I made a:
ipa-ca-install ----> KO
CA is already installed on this host
THEN
pkidestroy -s CA -i pki-tomcat
ipa-getcert stop-tracking -i ******** (certificate expired for several
years)
ipa-ca-install ----> KO
''
Run connection check to master
Connection check OK
Your system may be partly configured.
Run / usr / sbin / ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
HTTPError: 404 Client Error: Not Found
''
I tried enorment order I think have put more basard than anything else
that said ... :'(
how i can erase all traces of CA autority and reinstall with
ipa-ca-install a new autority and leave with a correct installation ?
- Solution 2
Add a replica server without CA autority and pass it master and install
a new CA autority! it's possible ?
- solution 3
make a new freeipa server from 0
- ipa-server-install
- import my ~ 600 users and ~ 50 hosts (service)
- import my rules HBAC
- import my sudo rules
- import the keys kerberos
... I'm forgetting some things? and above all, is there a procedure to
do all this?
It seems much more difficult, especially since it will certainly be
necessary to plan production stops for my services:
Which solution do you recommend?
Thank you in advance for all the help you will give me
Pierre
8:33 a.m.
Labanowski Pierre via FreeIPA-users wrote:
Hello,
I'm confused with my freeipa setup. Some details on the installation:
- I use freeipa on only one server since 2012 (basic install with a
self-signed certificate ... KO from then 2014).
- meanwhile (a few years) I made a migration to switch to a version of
freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks. (the
old freeipav3 server has been destroyed for a long time)
- at this time CA autorithy been lost ... but hey I do not use this
feature in freeipa v4, I'm not too worried.
- I mainly use the ldap (user, group, host, hbac, automount etc), and
especially kerberos, and also winsync (trust AD etc ...)
- I never interressed at the party certificate.
- The HTTP and LDAP certificates of the server is signed via an external
authority not managed by freeipa.
Only here I wanted to add a 2nd server to replicate my single server
freeipa, to secure the system. And here the disaster begins for me ...
because the certificates block the process in all directions.
I'm considering several solutions:
- Solution 1 (my favorite if it's possible), that I started to try to do ...
remove the CA and restart from scratch on my master server before
starting to replicate.
I made a:
ipa-ca-install ----> KO
CA is already installed on this host
THEN
pkidestroy -s CA -i pki-tomcat
ipa-getcert stop-tracking -i ******** (certificate expired for several
years)
ipa-ca-install ----> KO
''
Run connection check to master
Connection check OK
Your system may be partly configured.
Run / usr / sbin / ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
HTTPError: 404 Client Error: Not Found
''
I tried enorment order I think have put more basard than anything else
that said ... :'(
how i can erase all traces of CA autority and reinstall with
ipa-ca-install a new autority and leave with a correct installation ?
No.
Chances are excellent that your original CA is now gone permanently
given you ran pkidestroy. If you still have the cacert.p12 you at least
have the original signing cert but given it was generated 6 years ago
and all the subsystem certs are long-expired it would be an extra
challenge to try to setup a replacement (for which there is a procedure
defined by dogtag but we've never tried it).
- Solution 2
Add a replica server without CA autority and pass it master and install
a new CA autority! it's possible ?
No.
- solution 3
make a new freeipa server from 0
- ipa-server-install
- import my ~ 600 users and ~ 50 hosts (service)
- import my rules HBAC
- import my sudo rules
- import the keys kerberos
... I'm forgetting some things? and above all, is there a procedure to
do all this?
It seems much more difficult, especially since it will certainly be
necessary to plan production stops for my services:
IPA to IPA migration is theoretically possible but not something that is
supported at the moment (we just never got around to working out all the
details). It would involve exporting to ldif the current data, massaging
it, and importing it into the new master. There be dragons.
solution 4
Obtain an SSL certificate for the HTTP and LDAP service from the same
place you got the certificates for your existing master for your new
replica and use the --dirsrv-cert-file and --http-cert-file options to
ipa-replica-install to pass them in. See the ipa-replica-install(1) man
page for fuller details.
rob
9:04 a.m.
Thank you Rob for your answer,
I have test solution 4, but the
installation really goes out of order.
I do not want to remove from the
host or even add a replica (same thing with --dirsrv-cert-file and
--http-cert-file options).
I got the following error:
'certificate
operation cannot be completed: Unable to communicate with CMS ([Errno
111] Connection refused)'
then go to Solution 5 - Loss of information,
backtracking:
I restored a 15-day snapshot, which resulted in the loss
of a new user and a twenty-something password change.
- resynchronize
with winsync users (change uid and gid on servers)
- Send a mail to
users who have changed their password. (Synchronization)
big panic in
the information system.
I return to square one with a freeipa v4.4 and
a big problem of certificate
''
Request ID '20161220171512':
status:
CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa4.XXXXXX.XX:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
''
if
you have an idea to replace the CA. I am really interrest
thx
Pierre
--
Le 2018-03-13 14:33, Rob Crittenden a écrit :
IPA to IPA migration is theoretically possible but not something that
is
Labanowski Pierre
via FreeIPA-users wrote:
> Hello, I'm confused with my freeipa
setup. Some details on the
installation: - I use freeipa on only one
server since 2012 (basic install with a self-signed certificate ... KO
from then 2014). - meanwhile (a few years) I made a migration to switch
to a version of freeipa v4 on 7.1 centos, which is today in 4.5 since a
few weeks. (the old freeipav3 server has been destroyed for a long time)
- at this time CA autorithy been lost ... but hey I do not use this
feature in freeipa v4, I'm not too worried. - I mainly use the ldap
(user, group, host, hbac, automount etc), and especially kerberos, and
also winsync (trust AD etc ...) - I never interressed at the party
certificate. - The HTTP and LDAP certificates of the server is signed
via an external authority not managed by freeipa. Only here I wanted to
add a 2nd server to replicate my single server freeipa, to secure the
system. And here the disaster begins for me ... because the certificates
block the process in all directions. I'm considering several solutions:
- Solution 1 (my favorite if it's possible), that I started to try to do
... remove the CA and restart from scratch on my master server before
starting to replicate. I made a: ipa-ca-install ----> KO CA is already
installed on this host THEN pkidestroy -s CA -i pki-tomcat ipa-getcert
stop-tracking -i ******** (certificate expired for several years)
ipa-ca-install ----> KO '' Run connection check to master Connection
check OK Your system may be partly configured. Run / usr / sbin /
ipa-server-install --uninstall to clean up. Unexpected error - see
/var/log/ipareplica-ca-install.log for details: HTTPError: 404 Client
Error: Not Found '' I tried enorment order I think have put more basard
than anything else that said ... :'( how i can erase all traces of CA
autority and reinstall with ipa-ca-install a new autority and leave with
a correct installation ?
No.
Chances are excellent that your
original CA is now gone permanently
given you ran pkidestroy. If you
still have the cacert.p12 you
at least
have the original signing cert
but given it was generated 6
years ago
and all the subsystem certs are
long-expired it would be an
extra
challenge to try to setup a
replacement (for which there is a
procedure
defined by dogtag but
we've never tried it).
> - Solution 2 Add a replica server without
CA autority and pass it master and
install a new CA autority! it's
possible ?
No.
> - solution 3 make a new freeipa server from 0
- ipa-server-install - import my
~ 600 users and ~ 50 hosts (service) -
import my rules HBAC - import my sudo rules - import the keys kerberos
... I'm forgetting some things? and above all, is there a procedure to
do all this? It seems much more difficult, especially since it will
certainly be necessary to plan production stops for my services:
supported at the moment (we just never got around to working out
all the
details). It would involve exporting to ldif the current data,
massaging
it, and importing it into the new master. There be
dragons.
solution 4
Obtain an SSL certificate for the HTTP and
LDAP service from the same
place you got the certificates for your
existing master for
your new
replica and use the --dirsrv-cert-file
and --http-cert-file
options to
ipa-replica-install to pass them in.
See the
ipa-replica-install(1) man
page for fuller details.
rob
9:24 a.m.
indeed, there has been a problem for a very long time. I think the
problem happened at the time of the migration centos 6 to centos 7.
# ipa ca-show ipa
ipa: ERROR: ipa: Certificate Authority Not Found
how can I solve this little/big problem?
thx
Pierre
Le 17/03/2018 à 15:04, Pierre Labanowski via FreeIPA-users a écrit :
Thank you Rob for your answer,
I have test solution 4, but the installation really goes out of order.
I do not want to remove from the host or even add a replica (same
thing with --dirsrv-cert-file and --http-cert-file options).
I got the following error:
'certificate operation cannot be completed: Unable to communicate with
CMS ([Errno 111] Connection refused)'
then go to Solution 5 - Loss of information, backtracking:
I restored a 15-day snapshot, which resulted in the loss of a new user
and a twenty-something password change.
- resynchronize with winsync users (change uid and gid on servers)
- Send a mail to users who have changed their password. (Synchronization)
big panic in the information system.
I return to square one with a freeipa v4.4 and a big problem of
certificate
''
Request ID '20161220171512':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa4.XXXXXX.XX:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
''
if you have an idea to replace the CA. I am really interrest
thx
Pierre
--
Le 2018-03-13 14:33, Rob Crittenden a écrit :
> Labanowski Pierre via FreeIPA-users wrote:
>> Hello, I'm confused with my freeipa setup. Some details on the
>> installation: - I use freeipa on only one server since 2012 (basic
>> install with a self-signed certificate ... KO from then 2014). -
>> meanwhile (a few years) I made a migration to switch to a version of
>> freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks.
>> (the old freeipav3 server has been destroyed for a long time) - at
>> this time CA autorithy been lost ... but hey I do not use this
>> feature in freeipa v4, I'm not too worried. - I mainly use the ldap
>> (user, group, host, hbac, automount etc), and especially kerberos,
>> and also winsync (trust AD etc ...) - I never interressed at the
>> party certificate. - The HTTP and LDAP certificates of the server is
>> signed via an external authority not managed by freeipa. Only here I
>> wanted to add a 2nd server to replicate my single server freeipa, to
>> secure the system. And here the disaster begins for me ... because
>> the certificates block the process in all directions. I'm
>> considering several solutions: - Solution 1 (my favorite if it's
>> possible), that I started to try to do ... remove the CA and restart
>> from scratch on my master server before starting to replicate. I
>> made a: ipa-ca-install ----> KO CA is already installed on this host
>> THEN pkidestroy -s CA -i pki-tomcat ipa-getcert stop-tracking -i
>> ******** (certificate expired for several years) ipa-ca-install
>> ----> KO '' Run connection check to master Connection check OK Your
>> system may be partly configured. Run / usr / sbin /
>> ipa-server-install --uninstall to clean up. Unexpected error - see
>> /var/log/ipareplica-ca-install.log for details: HTTPError: 404
>> Client Error: Not Found '' I tried enorment order I think have put
>> more basard than anything else that said ... :'( how i can erase all
>> traces of CA autority and reinstall with ipa-ca-install a new
>> autority and leave with a correct installation ?
> No.
>
> Chances are excellent that your original CA is now gone permanently
> given you ran pkidestroy. If you still have the cacert.p12 you at least
> have the original signing cert but given it was generated 6 years ago
> and all the subsystem certs are long-expired it would be an extra
> challenge to try to setup a replacement (for which there is a procedure
> defined by dogtag but we've never tried it).
>> - Solution 2 Add a replica server without CA autority and pass it
>> master and install a new CA autority! it's possible ?
> No.
>> - solution 3 make a new freeipa server from 0 - ipa-server-install -
>> import my ~ 600 users and ~ 50 hosts (service) - import my rules
>> HBAC - import my sudo rules - import the keys kerberos ... I'm
>> forgetting some things? and above all, is there a procedure to do
>> all this? It seems much more difficult, especially since it will
>> certainly be necessary to plan production stops for my services:
> IPA to IPA migration is theoretically possible but not something that is
> supported at the moment (we just never got around to working out all the
> details). It would involve exporting to ldif the current data, massaging
> it, and importing it into the new master. There be dragons.
>
> solution 4
>
> Obtain an SSL certificate for the HTTP and LDAP service from the same
> place you got the certificates for your existing master for your new
> replica and use the --dirsrv-cert-file and --http-cert-file options to
> ipa-replica-install to pass them in. See the ipa-replica-install(1) man
> page for fuller details.
>
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
7:47 p.m.
On Tue, Mar 20, 2018 at 03:24:58PM +0100, Pierre Labanowski via FreeIPA-users wrote:
indeed, there has been a problem for a very long time. I think the
problem happened at the time of the migration centos 6 to centos 7.
# ipa ca-show ipa
ipa: ERROR: ipa: Certificate Authority Not Found
how can I solve this little/big problem?
thx
Pierre
Hi Pierre,
Please run ipa-server-upgrade. It should notice the missing entry
and add it. If not, please provide the /var/log/ipaupgrade.log and
we can try and diagnose the issue.
Cheers,
Fraser
Le 17/03/2018 à 15:04, Pierre Labanowski via FreeIPA-users a écrit :
>
> Thank you Rob for your answer,
>
> I have test solution 4, but the installation really goes out of order.
> I do not want to remove from the host or even add a replica (same
> thing with --dirsrv-cert-file and --http-cert-file options).
> I got the following error:
> 'certificate operation cannot be completed: Unable to communicate with
> CMS ([Errno 111] Connection refused)'
>
>
> then go to Solution 5 - Loss of information, backtracking:
>
> I restored a 15-day snapshot, which resulted in the loss of a new user
> and a twenty-something password change.
> - resynchronize with winsync users (change uid and gid on servers)
> - Send a mail to users who have changed their password. (Synchronization)
>
> big panic in the information system.
>
>
> I return to square one with a freeipa v4.4 and a big problem of
> certificate
> ''
> Request ID '20161220171512':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://freeipa4.XXXXXX.XX:8443/ca/agent/ca/profileReview: Peer
> certificate cannot be authenticated with given CA certificates.
> ''
>
> if you have an idea to replace the CA. I am really interrest
>
> thx
>
> Pierre
>
>
>
>
>
> --
>
> Le 2018-03-13 14:33, Rob Crittenden a écrit :
>
>> Labanowski Pierre via FreeIPA-users wrote:
>>> Hello, I'm confused with my freeipa setup. Some details on the
>>> installation: - I use freeipa on only one server since 2012 (basic
>>> install with a self-signed certificate ... KO from then 2014). -
>>> meanwhile (a few years) I made a migration to switch to a version of
>>> freeipa v4 on 7.1 centos, which is today in 4.5 since a few weeks.
>>> (the old freeipav3 server has been destroyed for a long time) - at
>>> this time CA autorithy been lost ... but hey I do not use this
>>> feature in freeipa v4, I'm not too worried. - I mainly use the ldap
>>> (user, group, host, hbac, automount etc), and especially kerberos,
>>> and also winsync (trust AD etc ...) - I never interressed at the
>>> party certificate. - The HTTP and LDAP certificates of the server is
>>> signed via an external authority not managed by freeipa. Only here I
>>> wanted to add a 2nd server to replicate my single server freeipa, to
>>> secure the system. And here the disaster begins for me ... because
>>> the certificates block the process in all directions. I'm
>>> considering several solutions: - Solution 1 (my favorite if it's
>>> possible), that I started to try to do ... remove the CA and restart
>>> from scratch on my master server before starting to replicate. I
>>> made a: ipa-ca-install ----> KO CA is already installed on this host
>>> THEN pkidestroy -s CA -i pki-tomcat ipa-getcert stop-tracking -i
>>> ******** (certificate expired for several years) ipa-ca-install
>>> ----> KO '' Run connection check to master Connection check OK
Your
>>> system may be partly configured. Run / usr / sbin /
>>> ipa-server-install --uninstall to clean up. Unexpected error - see
>>> /var/log/ipareplica-ca-install.log for details: HTTPError: 404
>>> Client Error: Not Found '' I tried enorment order I think have put
>>> more basard than anything else that said ... :'( how i can erase all
>>> traces of CA autority and reinstall with ipa-ca-install a new
>>> autority and leave with a correct installation ?
>> No.
>>
>> Chances are excellent that your original CA is now gone permanently
>> given you ran pkidestroy. If you still have the cacert.p12 you at least
>> have the original signing cert but given it was generated 6 years ago
>> and all the subsystem certs are long-expired it would be an extra
>> challenge to try to setup a replacement (for which there is a procedure
>> defined by dogtag but we've never tried it).
>>> - Solution 2 Add a replica server without CA autority and pass it
>>> master and install a new CA autority! it's possible ?
>> No.
>>> - solution 3 make a new freeipa server from 0 - ipa-server-install -
>>> import my ~ 600 users and ~ 50 hosts (service) - import my rules
>>> HBAC - import my sudo rules - import the keys kerberos ... I'm
>>> forgetting some things? and above all, is there a procedure to do
>>> all this? It seems much more difficult, especially since it will
>>> certainly be necessary to plan production stops for my services:
>> IPA to IPA migration is theoretically possible but not something that is
>> supported at the moment (we just never got around to working out all the
>> details). It would involve exporting to ldif the current data, massaging
>> it, and importing it into the new master. There be dragons.
>>
>> solution 4
>>
>> Obtain an SSL certificate for the HTTP and LDAP service from the same
>> place you got the certificates for your existing master for your new
>> replica and use the --dirsrv-cert-file and --http-cert-file options to
>> ipa-replica-install to pass them in. See the ipa-replica-install(1) man
>> page for fuller details.
>>
>> rob
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
5:13 p.m.
Hi Fraser,
thank you in advance for the help.
ipa-server-upgrade ends on this message :
''
Migrating certificate profiles to LDAP]
cert validation failed for "CN=freeipa4.xxxx.fr,O=xxxx.FR"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to
'https://freeipa4.xxxx.fr:8443/ca/rest/account/login':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
''
thx
Pierre
6:45 p.m.
Hi Pierre,
What is the output of `getcert list` ?
Looks like there's an expired cert. Need to find which one(s) and
then work out how to renew them.
Cheers,
Fraser
On Thu, Mar 22, 2018 at 11:13:26PM +0100, Pierre Labanowski via FreeIPA-users wrote:
> Hi Fraser,
>
> thank you in advance for the help.
>
> ipa-server-upgrade ends on this message :
>
> ''
> Migrating certificate profiles to LDAP]
> cert validation failed for "CN=freeipa4.xxxx.fr,O=xxxx.FR"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> NetworkError: cannot connect to
> 'https://freeipa4.xxxx.fr:8443/ca/rest/account/login':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information
> ''
>
>
> thx
> Pierre
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
11:13 a.m.
Hi,
''
# getcert list
Number of certificates and requests being tracked: 4.
Request ID '20161220171510':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa4.xxxx.fr:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxxx.FR
subject: CN=OCSP Subsystem,O=xxxx.FR
expires: 2017-04-18 14:30:07 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20161220171511':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa4.xxxx.fr:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxxx.FR
subject: CN=CA Subsystem,O=xxxx.FR
expires: 2017-04-18 14:30:07 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20161220171512':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxxx.FR
subject: CN=Certificate Authority,O=xxxx.FR
expires: 2020-11-22 16:07:13 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20161220171513':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa4.xxxx.fr:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxxx.FR
subject: CN=IPA RA,O=xxxx.FR
expires: 2017-04-18 13:31:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
''
hoping that this will be useful for you
Thx,
Pierre
Le 23/03/2018 à 00:45, Fraser Tweedale via FreeIPA-users a écrit :
Hi Pierre,
What is the output of `getcert list` ?
Looks like there's an expired cert. Need to find which one(s) and
then work out how to renew them.
Cheers,
Fraser
On Thu, Mar 22, 2018 at 11:13:26PM +0100, Pierre Labanowski via FreeIPA-users wrote:
> Hi Fraser,
>
> thank you in advance for the help.
>
> ipa-server-upgrade ends on this message :
>
> ''
> Migrating certificate profiles to LDAP]
> cert validation failed for "CN=freeipa4.xxxx.fr,O=xxxx.FR"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> NetworkError: cannot connect to
> 'https://freeipa4.xxxx.fr:8443/ca/rest/account/login':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information
> ''
>
>
> thx
> Pierre
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
5:14 p.m.
Hi Fraser,
thank you in advance for the help.
ipa-server-upgrade ends on this message :
''
Migrating certificate profiles to LDAP]
cert validation failed for "CN=freeipa4.xxxx.fr,O=xxxx.FR"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to
'https://freeipa4.xxxx.fr:8443/ca/rest/account/login':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
''
thx
Pierre
2223
days inactive
2235
days old
freeipa-users@lists.fedorahosted.org
8 comments
5 participants
participants (5)
-
Fraser Tweedale -
Labanowski Pierre -
Pierre Labanowski
-
Pierre Labanowski -
Rob Crittenden