10:02 a.m.
any work around for missing the ipa-certupdate step ? we injected the root CA and missed
the step,
so now we are basically locked out from doing anything ipa, even loggging in with the
error
ipa: ERROR: cannot connect to 'https://ipa.domain.com/ipa/json'
<https://ipa.awnix.net/ipa/json>;: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:897)
The certificate in mysite.crt must be signed by a CA known by the
service you are loading the certificate into. If it is not the case, you
can use the commands/ipa-cacert-manage install/ and/ipa-certupdate/ to load
the CA's certificate prior to installing the new certificate.
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
Note: the command ipa-certupdate must be executed on all the IPA hosts
(master/replicas/clients) before moving to the next step.
Configuration of the 3rd part certificate
You can install the new bundle using:
# ipa-server-certinstall -w -d mysite.key mysite.crt
The option -w|--http installs the certificate for the HTTP server, and
-d|--dirsrv installs the certificate for the LDAP server. Please see
ipa-server-certinstall(1) man page for more information regarding all
the available options.
Then restart your daemons:
# systemctl restart httpd.service
# systemctl restart dirsrv(a)MY-REALM.service