Discussion:
[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)
Dewangga Bachrul Alam
2017-04-22 08:41:03 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Just update, manually add external CA(s) and signed certificated was
successful, but why it's didn't automatically transferred to
replica(s) from master.
Hello!
I've successfully create replica, everything works fine but why my
signed CA certificate didn't automatically transfer to another
replica(s)? Is it normal?
Trying to add manually, but the certificate in replica(s) still
using self-signed. Here's the output from `ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdIGYh
yR
LivL9gydE=
DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a
ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
PR_FILE_NOT_FOUND_ERROR: File not found
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a
ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
FYI: The replica server previously was a client and promoted to be
a replica by hitting this command: `ipa-replica-install
--principal admin --admin-password admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY+xccGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcJAHEACO4nF7guN05MjmqYFDwDrjhvWgMN2sRn+Nxt/aA+xziIOJJGaA
Rr97TbODiTiefBkjVoiYM6dxr6VK5ViPZIbe0IAjafCRACAKggyCRtb2j8+vb7Jd
imJN/MC0zSMCdATSs2b95uT7QrUiVHwt/xmKzJ44ezIYON+YOtgndk0QXynXHqjm
H6HcQkh4ZcC8antiFdbC+H8z4Iv4Ypnhdr80RtqLqQ6esnZXnWdIg3X0aRb6w1fw
KEDHemhfKeu5hMxpi2AQdesO4j+XhvW6TfvKymScbWv1PoEuLAsgQGdoxVmhkjN8
LKixSghHlg8A61DXtA9J2uaPUUKjVMmoKH4CFD0RLQlQJ+f4KfApbNzHZTBnSL8D
64c5WjJdtAY5LUArakwZ/EJt5N5AJEFDIoSWM3if/jpDIVFEAaDzFKIQvyLKyMIn
yHxNIcWcSoP/YwzZXMttWx5dNRkermmWEcvPsqovoT9BRlI/e700o3xqQk7V0720
7TniU1uZaBpLkJOxHUoWssaWfVHcWEBnw0UeU7bl4nKnAo7hkQs3/iJXwQiLk4aw
338ZIniIrDSmUmmfqJuhQrFPNK+heCOno5O/99Sa1bs0lTQgRRjMq5Q7mIajEYYI
NedyVj0VQ8R42rbgomWJPJP/uU+kirN8CpEc+d/IWNQE2t+5hOX5nme5dw==
=anzk
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Florence Blanc-Renaud
2017-04-25 07:52:27 UTC
Permalink
Hi,

As your email refers to self-signed and signed CA certificate, can you
please clarify the exact steps that you followed? It looks like
- you first installed FreeIPA with a self-signed CA
- you added an external CA (did you use ipa-cacert-manage install on 1
server then ipa-certupdate on all replicas?)
- you replaced the httpd/LDAP certificates with a cert signed from the
external CA (you probably ran ipa-server-certinstall on one server).

In this case it is normal that the httpd/LDAP certificates on the
replica were not updated as they are different (each IPA server has his
own httpd/LDAP cert which contains the hostname in its subject). You can
check this by performing on each server:
ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert | grep
Subject:
Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
^^^^^^^^^

If the goal is to replace the httpd/LDAP certificates on the replica,
the command ipa-server-certinstall must also be run on the replica with
the appropriate certificate.

HTH,
Flo.
Post by Dewangga Bachrul Alam
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
Just update, manually add external CA(s) and signed certificated was
successful, but why it's didn't automatically transferred to
replica(s) from master.
Post by Dewangga Bachrul Alam
Hello!
I've successfully create replica, everything works fine but why my
signed CA certificate didn't automatically transfer to another
replica(s)? Is it normal?
Trying to add manually, but the certificate in replica(s) still
using self-signed. Here's the output from `ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdIGYh
yR
LivL9gydE=
Post by Dewangga Bachrul Alam
DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a
ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
PR_FILE_NOT_FOUND_ERROR: File not found
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a
ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
FYI: The replica server previously was a client and promoted to be
a replica by hitting this command: `ipa-replica-install
--principal admin --admin-password admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQI4BAEBCAAiBQJY+xccGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcJAHEACO4nF7guN05MjmqYFDwDrjhvWgMN2sRn+Nxt/aA+xziIOJJGaA
Rr97TbODiTiefBkjVoiYM6dxr6VK5ViPZIbe0IAjafCRACAKggyCRtb2j8+vb7Jd
imJN/MC0zSMCdATSs2b95uT7QrUiVHwt/xmKzJ44ezIYON+YOtgndk0QXynXHqjm
H6HcQkh4ZcC8antiFdbC+H8z4Iv4Ypnhdr80RtqLqQ6esnZXnWdIg3X0aRb6w1fw
KEDHemhfKeu5hMxpi2AQdesO4j+XhvW6TfvKymScbWv1PoEuLAsgQGdoxVmhkjN8
LKixSghHlg8A61DXtA9J2uaPUUKjVMmoKH4CFD0RLQlQJ+f4KfApbNzHZTBnSL8D
64c5WjJdtAY5LUArakwZ/EJt5N5AJEFDIoSWM3if/jpDIVFEAaDzFKIQvyLKyMIn
yHxNIcWcSoP/YwzZXMttWx5dNRkermmWEcvPsqovoT9BRlI/e700o3xqQk7V0720
7TniU1uZaBpLkJOxHUoWssaWfVHcWEBnw0UeU7bl4nKnAo7hkQs3/iJXwQiLk4aw
338ZIniIrDSmUmmfqJuhQrFPNK+heCOno5O/99Sa1bs0lTQgRRjMq5Q7mIajEYYI
NedyVj0VQ8R42rbgomWJPJP/uU+kirN8CpEc+d/IWNQE2t+5hOX5nme5dw==
=anzk
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dewangga Bachrul Alam
2017-04-25 08:56:39 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Master IPA Server:
- - I install 1 (one) server as master (self-signed) and add/modify
using external CA.
- - I am using ipa-cacert-manage install then ipa-certupdate on master

Replica IPA Server:
- - I install 1 (one) server as client and promoted to ipa-replica:
- I run `ipa-client-install` and autodiscovery
- Then `ipa-replica-install --principal admin --admin-password
<password>`

I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master did.

So, I did the same like master, using `ipa-cacert-manage` on replica,
and it's work fine. If it's normal, then thanks for clarifying this.
Post by Florence Blanc-Renaud
Hi,
As your email refers to self-signed and signed CA certificate, can
you please clarify the exact steps that you followed? It looks
like - you first installed FreeIPA with a self-signed CA - you
added an external CA (did you use ipa-cacert-manage install on 1
server then ipa-certupdate on all replicas?) - you replaced the
httpd/LDAP certificates with a cert signed from the external CA
(you probably ran ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on the
replica were not updated as they are different (each IPA server has
his own httpd/LDAP cert which contains the hostname in its
ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert |
grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
^^^^^^^^^
If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run on the
replica with the appropriate certificate.
HTH, Flo.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
Just update, manually add external CA(s) and signed certificated
was successful, but why it's didn't automatically transferred to
replica(s) from master.
Post by Dewangga Bachrul Alam
Hello!
I've successfully create replica, everything works fine but
why my signed CA certificate didn't automatically transfer to
another replica(s)? Is it normal?
Trying to add manually, but the certificate in replica(s)
still using self-signed. Here's the output from
`ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI
GYh
yR
Post by Florence Blanc-Renaud
LivL9gydE=
Post by Dewangga Bachrul Alam
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n
DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA
DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not
found
FYI: The replica server previously was a client and promoted
`ipa-replica-install --principal admin --admin-password
admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO
KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R
wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW
oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73
DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z
3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU
XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr
GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N
8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer
P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk
NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA==
=07Ri
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Florence Blanc-Renaud
2017-04-26 13:08:55 UTC
Permalink
Post by Dewangga Bachrul Alam
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
- - I install 1 (one) server as master (self-signed) and add/modify
using external CA.
- - I am using ipa-cacert-manage install then ipa-certupdate on master
Hi,

I think I got you wrong...
Do you mean that you installed IPA with an integrated IdM CA which was
self-signed, then your intent was to move to integrated IdM CA
externally signed? In this case, the right command would be
ipa-cacert-manage renew --external-ca, and the procedure is described in
"Changing the certificate chain" [1].

The command ipa-cacert-manage install does not replace the integrated
IdM CA but adds the certificate as a known CA.

Hope this clarifies,
Flo

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html
Post by Dewangga Bachrul Alam
- I run `ipa-client-install` and autodiscovery
- Then `ipa-replica-install --principal admin --admin-password
<password>`
I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master did.
So, I did the same like master, using `ipa-cacert-manage` on replica,
and it's work fine. If it's normal, then thanks for clarifying this.
Post by Florence Blanc-Renaud
Hi,
As your email refers to self-signed and signed CA certificate, can
you please clarify the exact steps that you followed? It looks
like - you first installed FreeIPA with a self-signed CA - you
added an external CA (did you use ipa-cacert-manage install on 1
server then ipa-certupdate on all replicas?) - you replaced the
httpd/LDAP certificates with a cert signed from the external CA
(you probably ran ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on the
replica were not updated as they are different (each IPA server has
his own httpd/LDAP cert which contains the hostname in its
ipaserver$ sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert |
grep Subject: Subject: "CN=ipaserver.domain.com,O=DOMAIN.COM"
^^^^^^^^^
If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run on the
replica with the appropriate certificate.
HTH, Flo.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
Just update, manually add external CA(s) and signed certificated
was successful, but why it's didn't automatically transferred to
replica(s) from master.
Post by Dewangga Bachrul Alam
Hello!
I've successfully create replica, everything works fine but
why my signed CA certificate didn't automatically transfer to
another replica(s)? Is it normal?
Trying to add manually, but the certificate in replica(s)
still using self-signed. Here's the output from
`ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1UNdI
GYh
yR
Post by Florence Blanc-Renaud
LivL9gydE=
Post by Dewangga Bachrul Alam
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n
DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA
DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find
cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not
found
FYI: The replica server previously was a client and promoted
`ipa-replica-install --principal admin --admin-password
admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQI4BAEBCAAiBQJY/w9DGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcBkZD/wM9ia9854l7bIy7dHxKxc7WhduFmbW3AwW0Ren+aLLER/lqMhO
KPNA+fB9ojeoZagmA7JhpM9jblJ4BUaJjLnyf1vhJmOgIX0MgSfmNCr/f/EtfC9R
wZLBImntbGm8yQnsA4f21sdmqnQg9CZN6cg6R8TQ+OuAXdm8jU9Pv3RCLFXzS0mW
oxQdOZ9yNOC9chmfGl6Bz2oGFoEMHCsn1AcEoRHyIUU6jrCNhTVgYcHPVEz0PW73
DEY0ZkwNi9hMcGv5+5F8InYEOdOkS9Lp0juW47xRheztD/PRhYYn1m/FtOxmFa3z
3XS36/w6omSdfH2WOjBRwJduB4REmwHb9oGto7vu6FvWhwUHf9zWVjmJ6DH8tbYU
XgHLmmaSIfwHWc0iYnSLcbHuOaR+l2nOSOLJNg5FfUoIJy5qO51kV3u+pGGELCdr
GexkcXrEHxqk/OO9ioLlTfYIpd9NI6hdLzAsjJEbHuEVZe1B/nrkUOVy/yWOry0N
8muLkJlslMpRwGV4KRFlhcfd49mv9oylKrAxtZ843vz6F1WOKI6vbuS+SJ+wpoer
P1njVQyExrlKi3ruPBIOkxQ6fab9OvredesCo13wLqhfXvezsWpL1RkiqBaMzrsk
NDX/jqEEsk7gbYuawNazcQZP/NGzQZ6nBnVAkXV7vA8D/EV4y1CbW9YfXA==
=07Ri
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dewangga Bachrul Alam
2017-04-28 01:50:27 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!
On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
Master IPA Server: - I install 1 (one) server as master
(self-signed) and add/modify using external CA. - I am using
ipa-cacert-manage install then ipa-certupdate on master
Hi,
I think I got you wrong... Do you mean that you installed IPA
with an integrated IdM CA which was self-signed, then your intent
was to move to integrated IdM CA externally signed? In this case,
the right command would be ipa-cacert-manage renew --external-ca,
and the procedure is described in "Changing the certificate
chain" [1].
Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?
The command ipa-cacert-manage install does not replace the
integrated IdM CA but adds the certificate as a known CA.
Hope this clarifies, Flo
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
rt-chaining.html
Replica IPA Server: - I install 1 (one) server as client and
promoted to ipa-replica: - I run `ipa-client-install` and
autodiscovery - Then `ipa-replica-install --principal admin
--admin-password <password>`
I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master did.
So, I did the same like master, using `ipa-cacert-manage` on
replica, and it's work fine. If it's normal, then thanks for
clarifying this.
Post by Florence Blanc-Renaud
Hi,
As your email refers to self-signed and signed CA
certificate, can you please clarify the exact steps that you
followed? It looks like - you first installed FreeIPA with a
self-signed CA - you added an external CA (did you use
ipa-cacert-manage install on 1 server then ipa-certupdate on
all replicas?) - you replaced the httpd/LDAP certificates
with a cert signed from the external CA (you probably ran
ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on
the replica were not updated as they are different (each IPA
server has his own httpd/LDAP cert which contains the
hostname in its subject). You can check this by performing on
each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
"CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^
If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run
on the replica with the appropriate certificate.
HTH, Flo.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
Just update, manually add external CA(s) and signed
certificated was successful, but why it's didn't
automatically transferred to replica(s) from master.
Post by Dewangga Bachrul Alam
Hello!
I've successfully create replica, everything works fine
but why my signed CA certificate didn't automatically
transfer to another replica(s)? Is it normal?
Trying to add manually, but the certificate in
replica(s) still using self-signed. Here's the output
from `ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
NdI
GYh
yR
Post by Florence Blanc-Renaud
LivL9gydE=
Post by Dewangga Bachrul Alam
ipa: DEBUG: stderr= ipa: DEBUG: Starting external
process ipa: DEBUG: args=/usr/bin/certutil -d
/etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
PR_FILE_NOT_FOUND_ERROR: File not found
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
CA cert -a ipa: DEBUG: Process finished, return
stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
FYI: The replica server previously was a client and
`ipa-replica-install --principal admin
--admin-password admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v
oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8
udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg
zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F
g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu
kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt
xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+
PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS
MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw==
=plyF
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Florence Blanc-Renaud
2017-04-28 07:16:54 UTC
Permalink
Post by Dewangga Bachrul Alam
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello!
Master IPA Server: - I install 1 (one) server as master
(self-signed) and add/modify using external CA. - I am using
ipa-cacert-manage install then ipa-certupdate on master
Hi,
I think I got you wrong... Do you mean that you installed IPA
with an integrated IdM CA which was self-signed, then your intent
was to move to integrated IdM CA externally signed? In this case,
the right command would be ipa-cacert-manage renew --external-ca,
and the procedure is described in "Changing the certificate
chain" [1].
Ah thanks for your corrections and information, then what should I do?
Should I run ipa-cacert-manage renew --external-ca ?
Yes, this is the way to go, documented here [1]. This is a 2-step
process: when the command is run, it will create a CSR that needs to be
signed by an external CA. Then the command must be re-launched with the
new certificate delivered by the CA.

Also do not forget to run ipa-certupdate on the master and all the
replicas/clients.

Flo.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
Post by Dewangga Bachrul Alam
The command ipa-cacert-manage install does not replace the
integrated IdM CA but adds the certificate as a known CA.
Hope this clarifies, Flo
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-ce
rt-chaining.html
Replica IPA Server: - I install 1 (one) server as client and
promoted to ipa-replica: - I run `ipa-client-install` and
autodiscovery - Then `ipa-replica-install --principal admin
--admin-password <password>`
I've hit ipa-certupdate -v to verbose the logs (attached at first
email). Then replica server aren't using external CA(s) like master did.
So, I did the same like master, using `ipa-cacert-manage` on
replica, and it's work fine. If it's normal, then thanks for
clarifying this.
Post by Florence Blanc-Renaud
Hi,
As your email refers to self-signed and signed CA
certificate, can you please clarify the exact steps that you
followed? It looks like - you first installed FreeIPA with a
self-signed CA - you added an external CA (did you use
ipa-cacert-manage install on 1 server then ipa-certupdate on
all replicas?) - you replaced the httpd/LDAP certificates
with a cert signed from the external CA (you probably ran
ipa-server-certinstall on one server).
In this case it is normal that the httpd/LDAP certificates on
the replica were not updated as they are different (each IPA
server has his own httpd/LDAP cert which contains the
hostname in its subject). You can check this by performing on
each server: ipaserver$ sudo certutil -d /etc/httpd/alias/ -L
"CN=ipaserver.domain.com,O=DOMAIN.COM" ^^^^^^^^^
If the goal is to replace the httpd/LDAP certificates on the
replica, the command ipa-server-certinstall must also be run
on the replica with the appropriate certificate.
HTH, Flo.
On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello!
Just update, manually add external CA(s) and signed
certificated was successful, but why it's didn't
automatically transferred to replica(s) from master.
Post by Dewangga Bachrul Alam
Hello!
I've successfully create replica, everything works fine
but why my signed CA certificate didn't automatically
transfer to another replica(s)? Is it normal?
Trying to add manually, but the certificate in
replica(s) still using self-signed. Here's the output
from `ipa-certupdate -v`
https://paste.fedoraproject.org/paste/U53pyXUa7Z34kLfiKh1QKV5M1U
NdI
GYh
yR
Post by Florence Blanc-Renaud
LivL9gydE=
Post by Dewangga Bachrul Alam
ipa: DEBUG: stderr= ipa: DEBUG: Starting external
process ipa: DEBUG: args=/usr/bin/certutil -d
/etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process
PR_FILE_NOT_FOUND_ERROR: File not found
args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External
CA cert -a ipa: DEBUG: Process finished, return
stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
FYI: The replica server previously was a client and
`ipa-replica-install --principal admin
--admin-password admin_password`
Any hints?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQI4BAEBCAAiBQJZAp/fGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcFhED/0VncBpnHq9jTIjQCel6wpqITpob3CeqtFMKFvx9gl6/7jKzkbO
1sNr8qcvB2Hne9mp41EDXhQw9ZLxNHTqt6JOAzdGFGO3qwsIH+l8V0pNX2knnsSw
b2MEhNmftKOl+kDFmEarESA5SyRtVFnPN1AjMIMw2ncQUpDodZyWdkip+E45oo1v
oXUFnjCrG2eY0/LK637GG7s6bPjW3w77vzeGgHDafPkWI0qbNrWff/VHpIMbFKs8
udxT61M7KpUSR3dOMAwuWSYXZ/W5YFFHKAPagKQ6vvDK/VmkCLWob0zZ1J9QErUg
zbMhXNpNHzfpJj67ds25F4EF/tVc2GiN7Thq/HBZj8YUPDyGdgafyvjT4Na86S1F
g/tQsl/2V28SlNaZ6SPfrl2/AN6kAMKI5/GQGiNHVUdCGf4d+j/NERmlLf9fw8xu
kgL9YI7fKkHoTYypJkfu+3L4hGkdKo7ylGnojZnjsc1Uw9eulvilAi6U9s7FYUzt
xTiVNYP5UGixzDq2nJBgFARDdxd0f+rsUqedAbnnb5fXUdUu1IAvocNRA8U8Bhw+
PYeypIufrzcOFdNZNPmeGc9TEA8Y3/5i6vIHimndDMAWy2LtbtoNwLxW+y5unuMS
MNY+oI3ObPgmFslJOFWx+lTTuGbt5xjWxUUY3MUJwCUb7VzijRNXvpzBiw==
=plyF
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...