On 4/20/20 8:39 PM, Andreas Bulling via FreeIPA-users wrote:
> Andreas Bulling via FreeIPA-users wrote:
> You have a chicken and egg problem. When replacing your certs on an
> existing infrastructure you first have to add your new CA certs using
> ipa-cacert-manage, then run ipa-certupdate on all enrolled machines,
> including masters, then you can run ipa-servercert-install to replace them.
This seems to be the routine described on the freeipa page - which I followed except for
running ipa-certupdate on all enrolled machines prior to ipa-servercert-install. The
documentation doesn't mention this, should probably be fixed before more people end up
in this situation.
I just updated the page
with a note mentioning that ipa-certupdate needs to be run on all the nodes.
Is there any way for me to fix this? client uninstall and reinstall?
You just need to add the new CA to /etc/ipa/ca.crt (append the
-----BEGIN CERTIFICATE---- .... -----END CERTIFICATE----- blob at the
end of the file) and to /etc/ipa/nssdb with
$ certutil -A -d /etc/ipa/nssdb -n nickname -t CT,C,C -a -i
Once it's done you can check if everything is working with
ipa-certupdate or any ipa *-find command.
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines