On 08/08/2017 02:31 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud <flo(a)redhat.com> wrote:
> Hi,
>
> You can follow the steps described here:
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
>
> ipa-cacert-manage renew --external-ca will create a CSR file that can be
> sent to the new certificate authority. You will then receive a new cert
> for IPA + a new CA chain that will be used in ipa-cacert-manage renew
> --external-cert-file.
>
> HTH,
> Flo
This appears to be a very precise documentation, but if you look
closely then you get
# ssh root@ipaclient1
# ipa-certupdate
trying
https://ipa2.example.com/ipa/json
Forwarding 'schema' to json server 'https://ipa2.example.com/ipa/json'
trying
https://ipa2.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server
'https://ipa2.example.com/ipa/json'
Forwarding 'ca_find/1' to json server
'https://ipa2.example.com/ipa/json'
Systemwide CA database updated.
The ipa-certupdate command was successful
# certutil -L -d /etc/pki/pki-tomcat/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in
an old, unsupported format.
This is *before* I installed the new certificate. I get this with
freeipa 4.4.0 on CentOS 7.3 and 4.4.4 on Debian.
Doesn't look very reliable, does it? Thats my concern. Not to
mention that /etc/pki/pki-tomcat/alias doesn't even exist, so
I wonder what did ipa-certupdate do?
???
Hi,
- on an IPA client, ipa-certupdate updates the /etc/ipa/nssdb NSS
database and /etc/ipa/ca.crt
- on an IPA server, ipa-certupdate additionally updates /etc/httpd/alias
(used by HTTP server for the webUI), /etc/dirsrc/slapdxxx (used by the
LDAP server) and /etc/pki/pki-tomcat/alias if the CA component is installed.
It looks like the certutil command was executed on a client, and
/etc/pki/pki-tomcat/alias is present only on masters with the CA component.
Maybe the doc is misleading and should be more precise (for instance,
specify that the "certutil -L -d /etc/pki/pki-tomcat/alias" cmd should
be run on a IPA master with CA)? Feel free to open a documentation issue
in this case, we are always welcoming suggestions to improve our
product/documentation quality.
Hope this clarifies,
Flo
Every helpful comment is highly appreciated.
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org