Hi,

On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault <fred@lix.polytechnique.fr> wrote:
Just in case here are the logs after going in the authentification menu in the GUI
( I get on Erreur IPA 903: InternalError ) when trying to get certificats informations

in the server roles, CA server is now configured


Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
fred@lix.polytechnique.fr

Le 12/10/2023 à 15:33, Frederic Ayrault a écrit :
I restored the vm, clean all logs and run the ipa-ca-install without the --ca-subject
then with the --ca-subject="CN=New Certificate Authority,O=LIX.POLYTECHNIQUE.FR"

please find enclosed the requested logs

The CA installation fails because it finds an existing entry in "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to have a self-signed CA at one point.

If you look at this entry, does it correspond to a CA known to you?
You can extract the certificate using
ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no
which should show a value for cacertificate;binary:: <content>

Then create a pem file with the format
-----BEGIN CERTIFICATE-----
<here paste the content>
-----END CERTIFICATE-----
and execute: openssl x509 -noout -text -in <pemfile>

You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O=LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin.

flo

Thank you very much for your help

Le 12/10/2023 à 14:19, Florence Blanc-Renaud a écrit :
Hi,

On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault <fred@lix.polytechnique.fr> wrote:

Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit :
> Hi,
>
>
>
> If I recap everything so far:
> - there is a single server, ipa3.lix.polytechnique.fr

It was part of a cluster but it is removed for the tests

> - it was installed CA-less, with http and ldap certificates issued by an
> external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate CA,
> signed by the root CA (C=FR, O=CNRS, CN=CNRS2)

exactly

> Your goal is to "replace our external CA to an Internal one", do you mean
> that you want IPA to act as a certificate authority, or use a different CA
> authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?

As I am not able to use CNRS2-Standard, I need to use a different CA
authority

Ok, so you went through the right path by using ipa-ca-install. Now we need to understand why the command failed.
Can you share /var/log/ipareplica-ca-install.log? We may also need /var/log/pki/pki-ca-spawn.$date and /var/log/dirsrv/slap-LIX-POLYTECHNIQUE-FR/errors and access.

flo
I thought using IPA as a certificate authority was logical (and should
also be easier)
but I can be wrong :-(


> flo
>

Frederic