I have installed the ipa server by using the following command:
--------- ipa-server-install --realm "EXAMPLE.COM" -p 'password' -a 'password' --hostname="server.example.com" -n example.com --ip-address="10.1.4.2" --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt --dirsrv-pin='' --http-cert-file=/etc/pki/tls/certs/example.com.crt --http-cert-file=/etc/pki/tls/private/example.com.pem --http-pin='' --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem --mkhomedir -N --no-host-dns --unattended ---------
Which works perfectly fine. However, I cannot make it work with ipa-replica-install since there is no option for --ca-cert-file.
So, how can I install a replica with custom certificates?
On Tue, Mar 17, 2020 at 1:18 PM Peter Tselios via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I have installed the ipa server by using the following command:
ipa-server-install --realm "EXAMPLE.COM" -p 'password' -a 'password' --hostname="server.example.com" -n example.com --ip-address="10.1.4.2" --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt --dirsrv-pin='' --http-cert-file=/etc/pki/tls/certs/example.com.crt --http-cert-file=/etc/pki/tls/private/example.com.pem --http-pin='' --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem --mkhomedir -N --no-host-dns
--unattended
Which works perfectly fine. However, I cannot make it work with ipa-replica-install since there is no option for --ca-cert-file.
Have you tried it? The CA cert should be pulled from the server. Please post the complete log if it does not work, and the IPA version.
So, how can I install a replica with custom certificates? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
You must first install the ipa-client ! And you can pass your certs option in the ipa-client-install, then the ipa-replica-install will use them and perform the replication from your primary server with the correct certs...
-----Message d'origine----- De : Peter Tselios via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org] Envoyé : mardi 17 mars 2020 13:17 À : freeipa-users@lists.fedorahosted.org Cc : Peter Tselios ptselios@fedoraproject.org Objet : [Freeipa-users] ipa-replica-install fails when I use custom certificates
I have installed the ipa server by using the following command:
--------- ipa-server-install --realm "EXAMPLE.COM" -p 'password' -a 'password' --hostname="server.example.com" -n example.com --ip-address="10.1.4.2" --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt --dirsrv-pin='' --http-cert-file=/etc/pki/tls/certs/example.com.crt --http-cert-file=/etc/pki/tls/private/example.com.pem --http-pin='' --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem --mkhomedir -N --no-host-dns --unattended ---------
Which works perfectly fine. However, I cannot make it work with ipa-replica-install since there is no option for --ca-cert-file.
So, how can I install a replica with custom certificates? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
Many thanks to all. This means I have a loooooooooooot of work ahead of me. I am using ansible for the installation and for the moment I don't use the freeipa modules. I will try with a p12 file and see if there is any improvement, if not, I will fall back to ipa-client install.
By the way, the information you provided are the complete opposite of the information here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Which clearly implies that it's not an issue.
And for completion: ipa-server-4.6.5 CentOS 7.7
Peter Tselios via FreeIPA-users wrote:
By the way, the information you provided are the complete opposite of the information here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Which clearly implies that it's not an issue.
And for completion: ipa-server-4.6.5 CentOS 7.7
Well, you're comparing the RHEL 8 (4.8.x) docs vs the RHEL 7 runtime (4.6.x). In this case it's the same but it's risky to use docs from a later release.
Yes, the docs should state that a client install is necessary in advance though it is an omission and I don't see any implicit references that it should work without it.
I believe using a PKCS#12 file with the full chain included will work.
rob
Exactly.
So, what I did in order to make it work: Create 2 PKS#12 archives with the certificates of the HTTP and LDAP (because I don't see how I can make the ansible module to add more certificates to an existing archive). Use those files as the input of the ipa-replica-install command.
It worked like a charm.
Peter Tselios via FreeIPA-users wrote:
Exactly.
So, what I did in order to make it work: Create 2 PKS#12 archives with the certificates of the HTTP and LDAP (because I don't see how I can make the ansible module to add more certificates to an existing archive). Use those files as the input of the ipa-replica-install command.
It worked like a charm.
Glad to hear it. I opened https://pagure.io/freeipa/issue/8234 to add --ca-cert-file as an option to ipa-replica-install.
rob
Hi folks, hope you are doing well, in case of dealing with domain level 0, when run ipa-replica-install, i have to provide gpg file as one of parameters, and cannot use --dirsrv-cert-file etc. together with gpg file 'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or --pkinit-cert-file together with replica file' as your suggestion I run ipa-client-install firstly, all certificates should be placed correctly, then when I run ipa-replica-install file.gpg -d, then get below error message ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: ScriptError: IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'. ipapython.admintool: ERROR IPA client is already configured on this system.
but certificate issue if I uninstall ipa-client, how to solve this issue? thanks in advance! Best regards, Bryan
Hi,
Is your IPA server configured as domain level 0 or domain level 1? If level 0, the replica installation is done in 2 steps, the preparation of a replica file on the master, and then the installation of the replica using this replica file. If level 1, there is no preparation step for a replica file.
To get the current domain level:
ipa *domainlevel-get*
flo
On Mon, Feb 6, 2023 at 8:32 AM Bryan Fang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi folks, hope you are doing well, in case of dealing with domain level 0, when run ipa-replica-install, i have to provide gpg file as one of parameters, and cannot use --dirsrv-cert-file etc. together with gpg file 'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or --pkinit-cert-file together with replica file' as your suggestion I run ipa-client-install firstly, all certificates should be placed correctly, then when I run ipa-replica-install file.gpg -d, then get below error message ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: ScriptError: IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'. ipapython.admintool: ERROR IPA client is already configured on this system.
but certificate issue if I uninstall ipa-client, how to solve this issue? thanks in advance! Best regards, Bryan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Bryan Fang via FreeIPA-users wrote:
Hi folks, hope you are doing well, in case of dealing with domain level 0, when run ipa-replica-install, i have to provide gpg file as one of parameters, and cannot use --dirsrv-cert-file etc. together with gpg file 'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or --pkinit-cert-file together with replica file' as your suggestion I run ipa-client-install firstly, all certificates should be placed correctly, then when I run ipa-replica-install file.gpg -d, then get below error message ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: ScriptError: IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'. ipapython.admintool: ERROR IPA client is already configured on this system.
but certificate issue if I uninstall ipa-client, how to solve this issue? thanks in advance!
It's hard to help with older installs when you don't provide any version or OS information.
DL0 doesn't allow for client promotion to replica.
Is there a reason you're not upgrading to DL1?
Information on how the server is installed would be helpful. It sure sounds like you replaced some certificates with externally-signed ones but still have an IPA CA, is that correct?
rob
Hi Rob and Flo, thanks for your reply, yes I am using external CA certificate, we have separate Apache server as proxy of ipa server, and we are using external CA certificate for Apache server, version of ipa server is 4.6.8, and I don’t know how to upgrade domain level to 1, I tried to manually set it to 1 but failed with error message ‘server doesn’t support the domain level’, if I ant to reuse existing ipa server, how can I promote it to be replica? Or would you pls advise me how to rebuild all of deployment? Thanks a lot! Bryan
Bryan Fang via FreeIPA-users wrote:
Hi Rob and Flo, thanks for your reply, yes I am using external CA certificate, we have separate Apache server as proxy of ipa server, and we are using external CA certificate for Apache server, version of ipa server is 4.6.8, and I don’t know how to upgrade domain level to 1, I tried to manually set it to 1 but failed with error message ‘server doesn’t support the domain level’, if I ant to reuse existing ipa server, how can I promote it to be replica? Or would you pls advise me how to rebuild all of deployment? Thanks a lot!
IIRC Flo already suggested including the entire certificate chain within the PKCS#12 files you provide to ipa-replica-prepare. That may resolve the problem.
We don't test nor recommend using a proxy in front of IPA.
rob
freeipa-users@lists.fedorahosted.org