Hi Flo,
On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
I would try to remove the new root CA from LDAP and re-import it using ipa-cacert-manage
install -t C,,
This should create the entry with the appropriate attributes.
Flo
Result: The new root CA certificate shows much better attributes in ldap:
dn: cn=CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample
AG\2CC\3DDE,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
ipaPublicKey:: MIICIjAN...
cACertificate;binary:: MIIGDTCC...
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE;1
A lot of ipaKeyExtUsage attributes appear to be missing, though, compared to the
old root CA certificate. Is this expected?
ipa-certupdate failed:
# ipa-certupdate -v
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying
https://ipa1.example.de/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection
context.rpcclient_54790992
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: [try 1]: Forwarding 'schema' to
json server 'https://ipa1.example.de/ipa/json'
ipa: DEBUG: New HTTP connection (ipa1.example.de)
ipa: DEBUG: HTTP connection destroyed (ipa1.example.de)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in
single_request
self.get_auth_info()
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in
get_auth_info
self._handle_exception(e, service=service)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 578, in
_handle_exception
raise errors.TicketExpired()
TicketExpired: Ticket expired
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
context.rpcclient_54790992
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py",
line 57, in run
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, in
load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, in
packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 126, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 534, in get_package
schema = Schema(client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 385, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 409, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1116, in forward
return self._call_command(command, params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1092, in
_call_command
return command(*params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call
return self.__request(name, args)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in
__request
verbose=self.__verbose >= 3,
File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in
single_request
self.get_auth_info()
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in
get_auth_info
self._handle_exception(e, service=service)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 578, in
_handle_exception
raise errors.TicketExpired()
ipa.ipaclient.install.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command failed,
exception: TicketExpired: Ticket expired
ipa.ipaclient.install.ipa_certupdate.CertUpdate: ERROR: Ticket expired
ipa.ipaclient.install.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
failed.
Restarting ipa did not help. ???
Regards
Harri