Le 12/10/2023 à 17:42, Florence
Blanc-Renaud a écrit :
The CA installation
fails because it finds an existing entry in "cn=
LIX.POLYTECHNIQUE.FR
IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr
".
It really looks like your topology used to have a
self-signed CA at one point.
If you look at this entry, does it
correspond to a CA known to you?
You can extract the certificate
using
ldapsearch -D "cn=directory\
manager" -W -b "
cn=
LIX.POLYTECHNIQUE.FR IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr"
-LLL -o ldif-wrap=no
which should show a value for
cacertificate;binary:: <content>
Then create a pem file with the
format
-----BEGIN CERTIFICATE-----
<here paste the content>
-----END CERTIFICATE-----
and execute: openssl x509 -noout
-text -in <pemfile>
I can see in Authority Information Access:
OCSP -
URI:http://ipa2.lix.polytechnique.fr:80/ca/ocsp
this is the server used to generate the
replica-info-ipa3.lix.polytechnique.fr.gpg file used to install the
server
openssl pkcs12 -export -chain -CAfile
/root/CNRS2-All.crt -in ipa3.lix.polytechnique.fr.pem -inkey
ipa3.lix.polytechnique.fr.key -name IPA3 -out
ipa3.lix.polytechnique.fr.pk12 -passout pass:???
ipa-replica-prepare
--dirsrv_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12
--dirsrv_pin=???
--http_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 --http_pin=???
ipa3.lix.polytechnique.fr
the CNRS2-All.crt is the same for all the servers and I get a pair
of pem and key files for each servers
In CNRS2-All.crt, there are 3 certs from Issuer: C=FR, O=CNRS,
CN=CNRS2
You mentioned in a previous email
that the server was originally part of a cluster but got
"extracted" out of it to run the tests. Did this set of
servers have a self-signed IPA CA? In the logs we can see
reference to 3 different CA certificates for
"CN=Certificate Authority, O=
LIX.POLYTECHNIQUE.FR" (self
signed, issued in june, june and july 2016). It's really a
confusing situation, as it's the subject that IPA CA would
use by default but it could also be a completely different
origin.
I do not know how was installed the first server, but everytime I
add to renew the cert, I removed the server, generate the gpg file
and did a replica-install