10:02 a.m.
any work around for missing the ipa-certupdate step ? we injected the root CA and missed
the step,
so now we are basically locked out from doing anything ipa, even loggging in with the
error
ipa: ERROR: cannot connect to 'https://ipa.domain.com/ipa/json'
<https://ipa.awnix.net/ipa/json>;: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:897)
The certificate in mysite.crt must be signed by a CA known by the
service you are loading the certificate into. If it is not the case, you
can use the commands/ipa-cacert-manage install/ and/ipa-certupdate/ to load
the CA's certificate prior to installing the new certificate.
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
Note: the command ipa-certupdate must be executed on all the IPA hosts
(master/replicas/clients) before moving to the next step.
Configuration of the 3rd part certificate
You can install the new bundle using:
# ipa-server-certinstall -w -d mysite.key mysite.crt
The option -w|--http installs the certificate for the HTTP server, and
-d|--dirsrv installs the certificate for the LDAP server. Please see
ipa-server-certinstall(1) man page for more information regarding all
the available options.
Then restart your daemons:
# systemctl restart httpd.service
# systemctl restart dirsrv(a)MY-REALM.service
11:12 a.m.
New subject: missed ipa-certupdate after adding certificates root ca and httpd
On 4/22/21 5:02 PM, Embedded Devel via FreeIPA-users wrote:
any work around for missing the ipa-certupdate step ? we injected
the root CA and missed the step,
so now we are basically locked out from doing anything ipa, even loggging in with the
error
ipa: ERROR: cannot connect to 'https://ipa.domain.com/ipa/json'
<https://ipa.awnix.net/ipa/json>;: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:897)
Hi,
you need to manually add the CA cert in the relevant nss databases or
pem files. The list of locations depends on your version:
/etc/ipa/nssdb
/etc/httpd/alias (if using mod_nss)
/etc/dirsrv/slapd-xx
/etc/pki/pki-tomcat/alias
/etc/ipa/ca.crt
Use the following command for nss databases: certutil -A -d <path to
nssdb> -n <nickname> -t CT,C,C -i ca.pem
and for pem files, you can simply copy-paste the new CA cert at the end
of the file.
HTH,
flo
The certificate in mysite.crt must be signed by a CA known by the
service you are loading the certificate into. If it is not the case, you
can use the commands/ipa-cacert-manage install/ and/ipa-certupdate/ to load
the CA's certificate prior to installing the new certificate.
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
Note: the command ipa-certupdate must be executed on all the IPA hosts
(master/replicas/clients) before moving to the next step.
Configuration of the 3rd part certificate
You can install the new bundle using:
# ipa-server-certinstall -w -d mysite.key mysite.crt
The option -w|--http installs the certificate for the HTTP server, and
-d|--dirsrv installs the certificate for the LDAP server. Please see
ipa-server-certinstall(1) man page for more information regarding all
the available options.
Then restart your daemons:
# systemctl restart httpd.service
# systemctl restartdirsrv(a)MY-REALM.service
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1093
days inactive
1093
days old
freeipa-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Embedded Devel -
Florence Blanc-Renaud