Hi,
On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Just in case here are the logs after going in the authentification menu in the GUI ( I get on Erreur IPA 903: InternalError ) when trying to get certificats informations
in the server roles, CA server is now configured
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
Le 12/10/2023 à 15:33, Frederic Ayrault a écrit :
I restored the vm, clean all logs and run the ipa-ca-install without the --ca-subject then with the --ca-subject="CN=New Certificate Authority,O= LIX.POLYTECHNIQUE.FR"
please find enclosed the requested logs
The CA installation fails because it finds an existing entry in "cn=
LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to have a self-signed CA at one point.
If you look at this entry, does it correspond to a CA known to you? You can extract the certificate using ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no which should show a value for cacertificate;binary:: <content>
Then create a pem file with the format -----BEGIN CERTIFICATE----- <here paste the content> -----END CERTIFICATE----- and execute: openssl x509 -noout -text -in <pemfile>
You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O= LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin.
flo
Thank you very much for your help
Le 12/10/2023 à 14:19, Florence Blanc-Renaud a écrit :
Hi,
On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault < fred@lix.polytechnique.fr> wrote:
Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit :
Hi,
If I recap everything so far:
- there is a single server, ipa3.lix.polytechnique.fr
It was part of a cluster but it is removed for the tests
- it was installed CA-less, with http and ldap certificates issued by an
external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate
CA,
signed by the root CA (C=FR, O=CNRS, CN=CNRS2)
exactly
Your goal is to "replace our external CA to an Internal one", do you
mean
that you want IPA to act as a certificate authority, or use a different
CA
authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?
As I am not able to use CNRS2-Standard, I need to use a different CA authority
Ok, so you went through the right path by using ipa-ca-install. Now we
need to understand why the command failed. Can you share /var/log/ipareplica-ca-install.log? We may also need /var/log/pki/pki-ca-spawn.$date and /var/log/dirsrv/slap-LIX-POLYTECHNIQUE -FR/errors and access.
flo
I thought using IPA as a certificate authority was logical (and should
also be easier) but I can be wrong :-(
flo
Frederic