Hi Wim,
Sorry for delayed reply. I was on leave for a few weeks.
Glad you reached a happy outcome.
It seems irrelevant now but FWIW I was not able to access the files
on Google Drive.
Cheers,
Fraser
On Wed, Sep 12, 2018 at 11:50:44AM +0200, Wim Vinckier via FreeIPA-users wrote:
Hi,
We decided to follow this guide and just replace the certificate of the
webserver and ldap:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It
did what wanted to do, for now. Maybe we will switch the CA later on.
Kind regards,
Wim Vinckier.
On Wed, 5 Sep 2018 at 17:30, Wim Vinckier <wimpunk(a)gmail.com> wrote:
> Hi,
>
> You can find the files at
>
https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?...
>
> Kind regards,
>
> Wim Vinckier.
>
> On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk(a)gmail.com> wrote:
>
>> Hi Fraser,
>>
>> We did use the command twice. Once to generate the CSR and a second time
>> to to supply the new certificates.
>>
>> I'll check with our security agent if I may supply the certificates.
I'm
>> afraid I may not supply them because of the firm security policies.
>>
>> Kind regards,
>>
>> wim vinckier.
>>
>> On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>>
>>> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users
>>> wrote:
>>> > Hi All,
>>> >
>>> > We are using our own (selfsigned) root CA for our installations. We
>>> just
>>> > started to use ipa and after exploring the possibilities we want to
>>> switch
>>> > to the root CA we normally use. According to [1] it should be done
>>> using
>>> > these instruction [2]. When we tray to renew the certificate we get
>>> this
>>> > error:
>>> >
>>> > [root@ipa ~]# ipa-cacert-manage renew
>>> > --external-cert-file=/root/Certificate_Authority.pem
>>> > --external-cert-file=root.cer
>>> > t
>>> > Importing the renewed CA certificate, please wait
>>> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is
>>> > incomplete: missing certificate with subject 'CN=Example SCRL'
>>> > The ipa-cacert-manage command failed.
>>> >
>>> > When we check the subject of the file, it seems to be correct to me:
>>> >
>>> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
>>> > subject= /CN=Example SCRL
>>> >
>>> > Is there anyone who can help me with this?
>>> >
>>> > Kind regards,
>>> >
>>> > wim vinckier.
>>> >
>>> Dear Wim,
>>>
>>> Did you first run `ipa-cacert-manage renew --external-ca` to
>>> generate the CSR for submission to the new CA. Then you invoke
>>> `ipa-cacert-manage renew` a second time, supplying the new IPA CA
>>> certificate and superior CA certificate(s) via the
>>> `--external-cert-file` option.
>>>
>>> If you did these steps, then please convey your certificates so we
>>> can inspect them and determine what the problem is.
>>>
>>> Cheers,
>>> Fraser
>>>
>>
>>
>> --
>> I would love to change the world, but they wont give me the source code.
>>
>
>
> --
> I would love to change the world, but they wont give me the source code.
>
--
I would love to change the world, but they wont give me the source code.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...