Hi Team ,
FreeIPA server version :- 4.6.8
I was trying securing freeipa-server with-lets-encrypt-ssl-certificate and in between the
process i noticed that http suddenly failed , Iam listing down the steps that i followed
so far (not complete as httpd got dead in between ) .
Iam fairly new to FreeIPA so would appreciate Some help or guidance here . Thanks
1. Taken backup of /var/lib/ipa/
2. Make directory mkdir freeipa-certs
3. cd freeipa-certs
4. Performed below step to get Lets Encrypt CA
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem"
"lets-encrypt-r3.pem" "lets-encrypt-e1.pem"
"lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
curl -o $CERT "https://letsencrypt.org/certs/$CERT"
done
5. Install Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem"
"lets-encrypt-r3.pem" "lets-encrypt-e1.pem"
"lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
ipa-cacert-manage install $CERT
done
######## Output of step 5 #########
Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
############################################
6. Update local IPA certificate databases with certificates from the server:
sudo ipa-certupdate
At below Stage httpd seems failing :
############# Output of Step 6 ##################################
[gp185132@idm canary-freeipa-certs]$ sudo ipa-certupdate
trying
https://idm.ncrcanary.apibox.ml/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://idm.ncrcanary.apibox.ml/ipa/json'
trying
https://idm.ncrcanary.apibox.ml/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server
'https://idm.ncrcanary.apibox.ml/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server
'https://idm.ncrcanary.apibox.ml/ipa/session/json'
Command '/bin/systemctl restart httpd.service' returned non-zero exit status 1
###########################################################
You need to look to see why httpd failed to start, either in its own
logs or in the journal.
rob