Hi,
On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Just in case here are the logs after going in the authentification menu in the GUI ( I get on Erreur IPA 903: InternalError ) when trying to get certificats informations
in the server roles, CA server is now configured
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
Le 12/10/2023 à 15:33, Frederic Ayrault a écrit :
I restored the vm, clean all logs and run the ipa-ca-install without the --ca-subject then with the --ca-subject="CN=New Certificate Authority,O= LIX.POLYTECHNIQUE.FR"
please find enclosed the requested logs
The CA installation fails because it finds an existing entry in "cn=
LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to have a self-signed CA at one point.
If you look at this entry, does it correspond to a CA known to you? You can extract the certificate using ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no which should show a value for cacertificate;binary:: <content>
Then create a pem file with the format -----BEGIN CERTIFICATE----- <here paste the content> -----END CERTIFICATE----- and execute: openssl x509 -noout -text -in <pemfile>
You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O= LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin.
flo
Thank you very much for your help
Le 12/10/2023 à 14:19, Florence Blanc-Renaud a écrit :
Hi,
On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault < fred@lix.polytechnique.fr> wrote:
Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit :
Hi,
If I recap everything so far:
- there is a single server, ipa3.lix.polytechnique.fr
It was part of a cluster but it is removed for the tests
- it was installed CA-less, with http and ldap certificates issued by an
external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate
CA,
signed by the root CA (C=FR, O=CNRS, CN=CNRS2)
exactly
Your goal is to "replace our external CA to an Internal one", do you
mean
that you want IPA to act as a certificate authority, or use a different
CA
authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?
As I am not able to use CNRS2-Standard, I need to use a different CA authority
Ok, so you went through the right path by using ipa-ca-install. Now we
need to understand why the command failed. Can you share /var/log/ipareplica-ca-install.log? We may also need /var/log/pki/pki-ca-spawn.$date and /var/log/dirsrv/slap-LIX-POLYTECHNIQUE -FR/errors and access.
flo
I thought using IPA as a certificate authority was logical (and should
also be easier) but I can be wrong :-(
flo
Frederic
Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit :
Hi,
The CA installation fails because it finds an existing entry in "cn=LIX.POLYTECHNIQUE.FR http://LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to have a self-signed CA at one point.
If you look at this entry, does it correspond to a CA known to you? You can extract the certificate using ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR http://LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no which should show a value for cacertificate;binary:: <content>
Then create a pem file with the format -----BEGIN CERTIFICATE-----
<here paste the content> -----END CERTIFICATE----- and execute: openssl x509 -noout -text -in <pemfile>
I can see in Authority Information Access:
OCSP - URI:http://ipa2.lix.polytechnique.fr:80/ca/ocsp
this is the server used to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used to install the server
openssl pkcs12 -export -chain -CAfile /root/CNRS2-All.crt -in ipa3.lix.polytechnique.fr.pem -inkey ipa3.lix.polytechnique.fr.key -name IPA3 -out ipa3.lix.polytechnique.fr.pk12 -passout pass:??? ipa-replica-prepare --dirsrv_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 --dirsrv_pin=??? --http_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 --http_pin=??? ipa3.lix.polytechnique.fr
the CNRS2-All.crt is the same for all the servers and I get a pair of pem and key files for each servers
In CNRS2-All.crt, there are 3 certs from Issuer: C=FR, O=CNRS, CN=CNRS2
You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O=LIX.POLYTECHNIQUE.FR http://LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin.
I do not know how was installed the first server, but everytime I add to renew the cert, I removed the server, generate the gpg file and did a replica-install
I thougt using --ca-subject for the ipa-ca-install should solve the confusing situation. Can I delete or rename those 3 CA ?
flo
Frédéric
Hi,
On Thu, Oct 12, 2023 at 6:24 PM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit :
Hi,
The CA installation fails because it finds an existing entry in "cn= LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It really looks like your topology used to have a self-signed CA at one point.
If you look at this entry, does it correspond to a CA known to you? You can extract the certificate using ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no which should show a value for cacertificate;binary:: <content>
Then create a pem file with the format -----BEGIN CERTIFICATE-----
<here paste the content> -----END CERTIFICATE----- and execute: openssl x509 -noout -text -in <pemfile>
I can see in Authority Information Access:
OCSP - URI:http://ipa2.lix.polytechnique.fr:80/ca/ocsp
this is the server used to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used to install the server
openssl pkcs12 -export -chain -CAfile /root/CNRS2-All.crt -in ipa3.lix.polytechnique.fr.pem -inkey ipa3.lix.polytechnique.fr.key -name IPA3 -out ipa3.lix.polytechnique.fr.pk12 -passout pass:??? ipa-replica-prepare --dirsrv_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 --dirsrv_pin=??? --http_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 --http_pin=??? ipa3.lix.polytechnique.fr
the CNRS2-All.crt is the same for all the servers and I get a pair of pem and key files for each servers
In CNRS2-All.crt, there are 3 certs from Issuer: C=FR, O=CNRS, CN=CNRS2
You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O= LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin.
I do not know how was installed the first server, but everytime I add to renew the cert, I removed the server, generate the gpg file and did a replica-install
This procedure is very creative :) When the HTTP and LDAP server certificates are about to expire, there is a tool that can help you install new ones: ipa-server-certinstall. It is documented in Installing Third-Party Certificates for HTTP or LDAP https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/third-party-certs-http-ldap. No need to scratch the machine and reinstall as a replica, simply replace the certificates.
I thougt using --ca-subject for the ipa-ca-install should solve the confusing situation. Can I delete or rename those 3 CA ?
Your current situation: there was a self-signed IPA CA in one of the servers, the replica was created without the CA role then extracted from the original topology. This means there are traces of the CA installation in the new replica but nothing to actually provide the service.
So my answer really depends on what you want to achieve. If the new replica will never be connected any more to the previous topology, you could follow Fraser's blog about Removing the CA from a FreeIPA deployment https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html on the replica after it has been removed from the original topology, ensure that everything is cleanup and call ipa-ca-install on the new replica. This would ensure there is a new CA private key completely different from the original one. Please note that this blog provides instructions but 1. this is not an officially supported procedure and 2. the instructions intend to remove the CA, not reinstall a new one later on.
flo
flo
Frédéric
freeipa-users@lists.fedorahosted.org