GAURAV Pande via FreeIPA-users wrote:
Hi Team ,
FreeIPA server version :- 4.6.8
I was trying securing freeipa-server with-lets-encrypt-ssl-certificate and in between the process i noticed that http suddenly failed , Iam listing down the steps that i followed so far (not complete as httpd got dead in between ) .
Iam fairly new to FreeIPA so would appreciate Some help or guidance here . Thanks
Taken backup of /var/lib/ipa/
Make directory mkdir freeipa-certs
cd freeipa-certs
Performed below step to get Lets Encrypt CA
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do curl -o $CERT "https://letsencrypt.org/certs/$CERT" done
- Install Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do ipa-cacert-manage install $CERT done
######## Output of step 5 #########
Installing CA certificate, please wait Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=R3,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=E1,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=R4,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful Installing CA certificate, please wait Verified CN=E2,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful ############################################
- Update local IPA certificate databases with certificates from the server:
sudo ipa-certupdate
At below Stage httpd seems failing :
############# Output of Step 6 ################################## [gp185132@idm canary-freeipa-certs]$ sudo ipa-certupdate trying https://idm.ncrcanary.apibox.ml/ipa/json [try 1]: Forwarding 'schema' to json server 'https://idm.ncrcanary.apibox.ml/ipa/json' trying https://idm.ncrcanary.apibox.ml/ipa/session/json [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://idm.ncrcanary.apibox.ml/ipa/session/json' Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1 ###########################################################
You need to look to see why httpd failed to start, either in its own logs or in the journal.
rob