Hi Rob, Freeipas
>> Is there a way to bypass this?
>
> Go back in time as you tried.
>
>> I've tried to set a date on the server previous than the expiring
one
of
>> the cert, but I get an SASL/GSSAPI error (even if I renew
admin
ticket).
>
> I guess make sure that your time daemon, if any, is stopped.
I managed to install new certs on ipa server setting date back in time;
now on the other two server I still get the error "Insufficient access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Credential cache is empty)" (ntpd
daemon stopped)
Could it be useful to remove the other two nodes from topology (e.g.
with ipa-replica-manage re-initialize --from good-ipa-server)?
thank you
regards
Stefano
On 7/28/22 22:21, stefano.antonelli@cnaf via FreeIPA-users wrote:
Hi Rob
thank you for your answer
> Why are you running this command? Did you change the CA at the same
> time? If not then ipa-server-certinstall is what you want.
yes, now it's Comodo
I've tried ipa-server-certinstall too but I get "The full certificate
chain is not present in ../path/my.key, ../path/my.cer The
ipa-server-certinstall command failed."
Should I try to create a chain certificate/root_ca is there a particular
order e.g. root/other_ca/cert or cert/root/other_ca?
>> Is there a way to bypass this?
>
> Go back in time as you tried.
>
>> I've tried to set a date on the server previous than the expiring one of
>> the cert, but I get an SASL/GSSAPI error (even if I renew admin ticket).
>
> I guess make sure that your time daemon, if any, is stopped.
perhaps I'll try again stopping ntpd
thank you
regards
Stefano
Il 2022-07-28 21:28 Rob Crittenden ha scritto:
> stefano.antonelli@cnaf via FreeIPA-users wrote:
>> Dear All
>>
>> we have a three nodes FreeIPA 4.6.8 installation with third part
>> certificate (https / dirsrv). This certificate has expired and when I
>> try to follow the
>>
>> ipa-cacert-manage install ...
>> ipa-certupdate I get the error: "cannot connect to
>>
https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED]
>> certificate verify failed (_ssl.c:618)"
>
> Why are you running this command? Did you change the CA at the same
> time? If not then ipa-server-certinstall is what you want.
>
>> I suppose that this is due to the fact that https connection is blocked
>> for expired certificate which I can't renew.
>
> Yep.
>
>
>> Is there a way to bypass this?
>
> Go back in time as you tried.
>
>> I've tried to set a date on the server previous than the expiring one of
>> the cert, but I get an SASL/GSSAPI error (even if I renew admin ticket).
>
> I guess make sure that your time daemon, if any, is stopped.
>
>> I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with new
>> cert/key but I don't know how
>
> Theoretically possible but ipa-server-certinstall should handle it for
> you. Manual is prone to error.
>
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure