7:17 a.m.
I have installed the ipa server by using the following command:
---------
ipa-server-install
--realm "EXAMPLE.COM" -p 'password' -a 'password'
--hostname="server.example.com" -n example.com
--ip-address="10.1.4.2"
--dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
--dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
--dirsrv-pin=''
--http-cert-file=/etc/pki/tls/certs/example.com.crt
--http-cert-file=/etc/pki/tls/private/example.com.pem
--http-pin=''
--ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
--ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
--mkhomedir -N
--no-host-dns
--unattended
---------
Which works perfectly fine.
However, I cannot make it work with ipa-replica-install since there is no option for
--ca-cert-file.
So, how can I install a replica with custom certificates?
7:22 a.m.
On Tue, Mar 17, 2020 at 1:18 PM Peter Tselios via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
I have installed the ipa server by using the following command:
---------
ipa-server-install
--realm "EXAMPLE.COM" -p 'password' -a 'password'
--hostname="server.example.com" -n example.com
--ip-address="10.1.4.2"
--dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
--dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
--dirsrv-pin=''
--http-cert-file=/etc/pki/tls/certs/example.com.crt
--http-cert-file=/etc/pki/tls/private/example.com.pem
--http-pin=''
--ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
--ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
--mkhomedir -N
--no-host-dns
--unattended
---------
Which works perfectly fine.
However, I cannot make it work with ipa-replica-install since there is no option for
--ca-cert-file.
Have you tried it? The CA cert should be pulled from the server.
Please post the complete log if it does not work, and the IPA version.
So, how can I install a replica with custom certificates?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:24 a.m.
New subject: ipa-replica-install fails when I use custom certificates
You must first install the ipa-client !
And you can pass your certs option in the ipa-client-install, then the ipa-replica-install
will use them and perform the replication from your primary server with the correct
certs...
-----Message d'origine-----
De : Peter Tselios via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org]
Envoyé : mardi 17 mars 2020 13:17
À : freeipa-users(a)lists.fedorahosted.org
Cc : Peter Tselios <ptselios(a)fedoraproject.org>
Objet : [Freeipa-users] ipa-replica-install fails when I use custom certificates
I have installed the ipa server by using the following command:
---------
ipa-server-install
--realm "EXAMPLE.COM" -p 'password' -a 'password'
--hostname="server.example.com" -n example.com
--ip-address="10.1.4.2"
--dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
--dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
--dirsrv-pin=''
--http-cert-file=/etc/pki/tls/certs/example.com.crt
--http-cert-file=/etc/pki/tls/private/example.com.pem
--http-pin=''
--ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
--ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
--mkhomedir -N
--no-host-dns
--unattended
---------
Which works perfectly fine.
However, I cannot make it work with ipa-replica-install since there is no option for
--ca-cert-file.
So, how can I install a replica with custom certificates?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des
informations qui peuvent être confidentielles ou protégées. Ces informations sont
uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’,
‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute
forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces
informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez
nous en informer par téléphone ou par message électronique et détruire les informations
immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
8:02 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Many thanks to all.
This means I have a loooooooooooot of work ahead of me.
I am using ansible for the installation and for the moment I don't use the freeipa
modules.
I will try with a p12 file and see if there is any improvement, if not, I will fall back
to ipa-client install.
8:07 a.m.
New subject: ipa-replica-install fails when I use custom certificates
By the way, the information you provided are the complete opposite of the information
here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Which clearly implies that it's not an issue.
And for completion:
ipa-server-4.6.5
CentOS 7.7
10:27 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Peter Tselios via FreeIPA-users wrote:
By the way, the information you provided are the complete opposite of
the information here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Which clearly implies that it's not an issue.
And for completion:
ipa-server-4.6.5
CentOS 7.7
Well, you're comparing the RHEL 8 (4.8.x) docs vs the RHEL 7 runtime
(4.6.x). In this case it's the same but it's risky to use docs from a
later release.
Yes, the docs should state that a client install is necessary in advance
though it is an omission and I don't see any implicit references that it
should work without it.
I believe using a PKCS#12 file with the full chain included will work.
rob
3:32 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Exactly.
So, what I did in order to make it work:
Create 2 PKS#12 archives with the certificates of the HTTP and LDAP (because I don't
see how I can make the ansible module to add more certificates to an existing archive).
Use those files as the input of the ipa-replica-install command.
It worked like a charm.
7:43 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Peter Tselios via FreeIPA-users wrote:
Exactly.
So, what I did in order to make it work:
Create 2 PKS#12 archives with the certificates of the HTTP and LDAP (because I don't
see how I can make the ansible module to add more certificates to an existing archive).
Use those files as the input of the ipa-replica-install command.
It worked like a charm.
Glad to hear it. I opened https://pagure.io/freeipa/issue/8234 to add
--ca-cert-file as an option to ipa-replica-install.
rob
1:32 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Hi folks,
hope you are doing well, in case of dealing with domain level 0, when run
ipa-replica-install, i have to provide gpg file as one of parameters, and cannot use
--dirsrv-cert-file etc. together with gpg file
'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or --pkinit-cert-file
together with replica file'
as your suggestion I run ipa-client-install firstly, all certificates should be placed
correctly, then when I run ipa-replica-install file.gpg -d, then get below error message
ipapython.admintool: DEBUG The ipa-replica-install command failed, exception:
ScriptError: IPA client is already configured on this system.
Please uninstall it first before configuring the replica, using 'ipa-client-install
--uninstall'.
ipapython.admintool: ERROR IPA client is already configured on this system.
but certificate issue if I uninstall ipa-client, how to solve this issue?
thanks in advance!
Best regards,
Bryan
1:19 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Hi,
Is your IPA server configured as domain level 0 or domain level 1?
If level 0, the replica installation is done in 2 steps, the preparation of
a replica file on the master, and then the installation of the replica
using this replica file.
If level 1, there is no preparation step for a replica file.
To get the current domain level:
ipa *domainlevel-get*
flo
On Mon, Feb 6, 2023 at 8:32 AM Bryan Fang via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi folks,
hope you are doing well, in case of dealing with domain level 0, when run
ipa-replica-install, i have to provide gpg file as one of parameters, and
cannot use --dirsrv-cert-file etc. together with gpg file
'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or
--pkinit-cert-file together with replica file'
as your suggestion I run ipa-client-install firstly, all certificates
should be placed correctly, then when I run ipa-replica-install file.gpg
-d, then get below error message
ipapython.admintool: DEBUG The ipa-replica-install command failed,
exception: ScriptError: IPA client is already configured on this system.
Please uninstall it first before configuring the replica, using
'ipa-client-install --uninstall'.
ipapython.admintool: ERROR IPA client is already configured on this
system.
but certificate issue if I uninstall ipa-client, how to solve this issue?
thanks in advance!
Best regards,
Bryan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
9:03 a.m.
New subject: ipa-replica-install fails when I use custom certificates
Bryan Fang via FreeIPA-users wrote:
Hi folks,
hope you are doing well, in case of dealing with domain level 0, when run
ipa-replica-install, i have to provide gpg file as one of parameters, and cannot use
--dirsrv-cert-file etc. together with gpg file
'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or
--pkinit-cert-file together with replica file'
as your suggestion I run ipa-client-install firstly, all certificates should be placed
correctly, then when I run ipa-replica-install file.gpg -d, then get below error message
ipapython.admintool: DEBUG The ipa-replica-install command failed, exception:
ScriptError: IPA client is already configured on this system.
Please uninstall it first before configuring the replica, using 'ipa-client-install
--uninstall'.
ipapython.admintool: ERROR IPA client is already configured on this system.
but certificate issue if I uninstall ipa-client, how to solve this issue?
thanks in advance!
It's hard to help with older installs when you don't provide any version
or OS information.
DL0 doesn't allow for client promotion to replica.
Is there a reason you're not upgrading to DL1?
Information on how the server is installed would be helpful. It sure
sounds like you replaced some certificates with externally-signed ones
but still have an IPA CA, is that correct?
rob
8:38 p.m.
New subject: ipa-replica-install fails when I use custom certificates
Hi Rob and Flo,
thanks for your reply, yes I am using external CA certificate, we have separate Apache
server as proxy of ipa server, and we are using external CA certificate for Apache server,
version of ipa server is 4.6.8, and I don’t know how to upgrade domain level to 1, I tried
to manually set it to 1 but failed with error message ‘server doesn’t support the domain
level’, if I ant to reuse existing ipa server, how can I promote it to be replica? Or
would you pls advise me how to rebuild all of deployment? Thanks a lot!
Bryan
12:53 p.m.
New subject: ipa-replica-install fails when I use custom certificates
Bryan Fang via FreeIPA-users wrote:
Hi Rob and Flo,
thanks for your reply, yes I am using external CA certificate, we have separate Apache
server as proxy of ipa server, and we are using external CA certificate for Apache server,
version of ipa server is 4.6.8, and I don’t know how to upgrade domain level to 1, I tried
to manually set it to 1 but failed with error message ‘server doesn’t support the domain
level’, if I ant to reuse existing ipa server, how can I promote it to be replica? Or
would you pls advise me how to rebuild all of deployment? Thanks a lot!
IIRC Flo already suggested including the entire certificate chain within
the PKCS#12 files you provide to ipa-replica-prepare. That may resolve
the problem.
We don't test nor recommend using a proxy in front of IPA.
rob
436
days inactive
1494
days old
freeipa-users@lists.fedorahosted.org
12 comments
6 participants
participants (6)
-
Bryan Fang -
Florence Blanc-Renaud -
François Cami -
LHEUREUX Bernard -
Peter Tselios -
Rob Crittenden