Bonjour,
I need to replace our external CA to an Internal one.
We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA.
Is there a way to backup or restore only the users, groups, roles, ... ?
I am still running ipa 4.6.8 from Centos7
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
Hello,
What procedure did you follow to renew your CA from external to self-signed.
Please look at the this doc https://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-manage...
$ ipa-cacert-manage renew --self-signed Above command should renew CA to self-signed
On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
I need to replace our external CA to an Internal one.
We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA.
Is there a way to backup or restore only the users, groups, roles, ... ?
I am still running ipa 4.6.8 from Centos7
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Bonjour,
When I run the command, I get this message
CA is not configured on this system The ipa-cacert-manage command failed.
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit :
Hello,
What procedure did you follow to renew your CA from external to self-signed.
Please look at the this dochttps://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-manage...
|$ ipa-cacert-manage renew --self-signed| Above command should renew CA to self-signed | |
On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Bonjour, I need to replace our external CA to an Internal one. We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA. Is there a way to backup or restore only the users, groups, roles, ... ? I am still running ipa 4.6.8 from Centos7 Thank you Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique <http://www.lix.polytechnique.fr> fred@lix.polytechnique.fr <mailto:fred@lix.polytechnique.fr> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
--
Regards
Mohammad Rizwan
He/Him/His
IM: rizwan
Hi,
On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
When I run the command, I get this message
CA is not configured on this system The ipa-cacert-manage command failed.
"replace our external CA to an Internal one", do you mean that IPA was
installed CA-less (with HTTP and LDAP certificates provided by an external CA), or with an embedded CA signed by an external CA?
In the first case, you need to install a CA on any of the IPA servers, using ipa-ca-install. This will create an IPA CA, then you need to download this new IPA CA certificate on all your IPA machines (server/replicas/clients) with ipa-certupdate. Please note that this does not replace the HTTP and LDAP server certificates. Also note that it is recommended to install the CA services on at least 2 servers (using ipa-ca-install on the other server). Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
In the second case, you need to identify where the CA role is already installed (ipa config-show displays the list of servers with the CA role), and run the command provided by Rizwan on this node. Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
HTH, flo
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit :
Hello,
What procedure did you follow to renew your CA from external to self-signed.
Please look at the this doc https://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-manage...
$ ipa-cacert-manage renew --self-signed Above command should renew CA to self-signed
On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
I need to replace our external CA to an Internal one.
We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA.
Is there a way to backup or restore only the users, groups, roles, ... ?
I am still running ipa 4.6.8 from Centos7
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
--
Regards
Mohammad Rizwan
He/Him/His IM: rizwan
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Bonjour,
Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Bonjour, When I run the command, I get this message
CA is not configured on this system The ipa-cacert-manage command failed.
"replace our external CA to an Internal one", do you mean that IPA was installed CA-less (with HTTP and LDAP certificates provided by an external CA), or with an embedded CA signed by an external CA?
In the first case, you need to install a CA on any of the IPA servers, using ipa-ca-install. This will create an IPA CA, then you need to download this new IPA CA certificate on all your IPA machines (server/replicas/clients) with ipa-certupdate. Please note that this does not replace the HTTP and LDAP server certificates. Also note that it is recommended to install the CA services on at least 2 servers (using ipa-ca-install on the other server). Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
when I run the command ipa-ca-install, I get
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate with subject CN=Certificate Authority,O=LIX.POLYTECHNIQUE.FR is present in /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/, cannot continue.
In the second case, you need to identify where the CA role is already installed (ipa config-show displays the list of servers with the CA role), and run the command provided by Rizwan on this node. Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
ipa config-show does not display any CA server
HTH, flo
Thank you
Regards,
Thank you Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique <http://www.lix.polytechnique.fr> fred@lix.polytechnique.fr <mailto:fred@lix.polytechnique.fr> Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit :
Hello, What procedure did you follow to renew your CA from external to self-signed. Please look at the this dochttps://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-management-utility |$ ipa-cacert-manage renew --self-signed| Above command should renew CA to self-signed | | On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Bonjour, I need to replace our external CA to an Internal one. We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA. Is there a way to backup or restore only the users, groups, roles, ... ? I am still running ipa 4.6.8 from Centos7 Thank you Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique <http://www.lix.polytechnique.fr> fred@lix.polytechnique.fr <mailto:fred@lix.polytechnique.fr> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- -- Regards Mohammad Rizwan He/Him/His IM: rizwan
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
On Mon, Oct 9, 2023 at 10:22 AM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Bonjour,
Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
When I run the command, I get this message
CA is not configured on this system The ipa-cacert-manage command failed.
"replace our external CA to an Internal one", do you mean that IPA was
installed CA-less (with HTTP and LDAP certificates provided by an external CA), or with an embedded CA signed by an external CA?
In the first case, you need to install a CA on any of the IPA servers, using ipa-ca-install. This will create an IPA CA, then you need to download this new IPA CA certificate on all your IPA machines (server/replicas/clients) with ipa-certupdate. Please note that this does not replace the HTTP and LDAP server certificates. Also note that it is recommended to install the CA services on at least 2 servers (using ipa-ca-install on the other server). Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
when I run the command ipa-ca-install, I get
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate with subject CN=Certificate Authority,O=LIX.POLYTECHNIQUE.FR is present in /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/, cannot continue.
Is this your external CA? I assume that its subject conflicts with the
default subject name that IPA installer would pick. If that's the case, you can force ipa-ca-install to use a different subject name with the --ca-subject option.
flo
In the second case, you need to identify where the CA role is already installed (ipa config-show displays the list of servers with the CA role), and run the command provided by Rizwan on this node. Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
ipa config-show does not display any CA server
HTH, flo
Thank you
Regards,
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit :
Hello,
What procedure did you follow to renew your CA from external to self-signed.
Please look at the this doc https://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-manage...
$ ipa-cacert-manage renew --self-signed Above command should renew CA to self-signed
On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
I need to replace our external CA to an Internal one.
We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA.
Is there a way to backup or restore only the users, groups, roles, ... ?
I am still running ipa 4.6.8 from Centos7
Thank you
Regards,
Frederic
Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique http://www.lix.polytechnique.fr fred@lix.polytechnique.fr
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
--
Regards
Mohammad Rizwan
He/Him/His IM: rizwan
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit :
Is this your external CA? I assume that its subject conflicts with the default subject name that IPA installer would pick. If that's the case, you can force ipa-ca-install to use a different subject name with the --ca-subject option.
flo
I run ipa-ca-install --ca-subject="CN=New Certificate Authority,O=LIX.POLYTECHNIQUE.FR" but after the last step (30/30) I get
Done configuring certificate server (pki-tomcatd).
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details: DuplicateEntry: This entry already exists
the ipareplica-ca-install.log ends with
2023-10-09T14:55:53Z DEBUG stderr= 2023-10-09T14:55:53Z DEBUG Starting external process 2023-10-09T14:55:53Z DEBUG args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -A -n LIX.POLYTECHNIQUE.FR IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/pwdfile.txt 2023-10-09T14:55:53Z DEBUG Process finished, return code=0 2023-10-09T14:55:53Z DEBUG stdout= 2023-10-09T14:55:53Z DEBUG stderr= 2023-10-09T14:55:53Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1015, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 343, in main install(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 279, in install install_master(safe_options, options)
File "/usr/sbin/ipa-ca-install", line 266, in install_master ca.install(True, None, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 255, in install install_step_1(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 379, in install_step_1 config_ipa=True, config_compat=True)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 372, in put_ca_cert_nss config_ipa, config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 239, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 152, in add_ca_cert ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in add_entry self.conn.add_s(str(entry.dn), list(attrs.items()))
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1029, in error_handler raise errors.DuplicateEntry()
2023-10-09T14:55:53Z DEBUG The ipa-ca-install command failed, exception: DuplicateEntry: This entry already exists
If I look the database with /usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -L , I get
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CNRS2-Standard - CNRS C,, CA 3 CT,C,C LIX.POLYTECHNIQUE.FR IPA CA CT,C,C IPA3 u,u,u CNRS2 - CNRS ,, CA 3 CT,C,C CA 3 CT,C,C
looks like problem is "CA 3" but I do not know what to do
Hi,
On Mon, Oct 9, 2023 at 5:30 PM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit :
Is this your external CA? I assume that its subject conflicts with the default subject name that IPA installer would pick. If that's the case, you can force ipa-ca-install to use a different subject name with the --ca-subject option.
flo
I run ipa-ca-install --ca-subject="CN=New Certificate Authority,O= LIX.POLYTECHNIQUE.FR" but after the last step (30/30) I get
Done configuring certificate server (pki-tomcatd).
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details: DuplicateEntry: This entry already exists
the ipareplica-ca-install.log ends with
2023-10-09T14:55:53Z DEBUG stderr= 2023-10-09T14:55:53Z DEBUG Starting external process 2023-10-09T14:55:53Z DEBUG args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -A -n LIX.POLYTECHNIQUE.FR IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/pwdfile.txt 2023-10-09T14:55:53Z DEBUG Process finished, return code=0 2023-10-09T14:55:53Z DEBUG stdout= 2023-10-09T14:55:53Z DEBUG stderr= 2023-10-09T14:55:53Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1015, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 343, in main install(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 279, in install install_master(safe_options, options)
File "/usr/sbin/ipa-ca-install", line 266, in install_master ca.install(True, None, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 255, in install install_step_1(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 379, in install_step_1 config_ipa=True, config_compat=True)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 372, in put_ca_cert_nss config_ipa, config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 239, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 152, in add_ca_cert ldap.add_entry(entry)
The error is an LDAP error when adding an entry/attribute for the CA. Can
you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen either on a ADD or on a MOD operation. It would also help if you can provide a description of your current certificate chain (the subject of the Root CA, if relevant the intermediate ones) or share your /etc/ipa/ca.crt file. You didn't clarify so far whether IPA was installed CA-less or with an embedded CA that was externally-signed. If you still have access to the first server that was installed, you can have a look at /var/log/ipaserver-install.log and check the options that were provided.
flo
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in add_entry self.conn.add_s(str(entry.dn), list(attrs.items()))
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1029, in error_handler raise errors.DuplicateEntry()
2023-10-09T14:55:53Z DEBUG The ipa-ca-install command failed, exception: DuplicateEntry: This entry already exists
If I look the database with /usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -L , I get
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CNRS2-Standard - CNRS C,, CA 3 CT,C,C LIX.POLYTECHNIQUE.FR IPA CA CT,C,C IPA3 u,u,u CNRS2 - CNRS ,, CA 3 CT,C,C CA 3 CT,C,C
looks like problem is "CA 3" but I do not know what to do
Bonjour Florence,
Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit :
The error is an LDAP error when adding an entry/attribute for the CA. Can you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen either on a ADD or on a MOD operation.
here are the errors
[09/Oct/2023:16:53:29.778822109 +0200] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [09/Oct/2023:16:53:29.792922239 +0200] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [09/Oct/2023:16:53:29.830898826 +0200] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend ipaca is coming online; checking domain level and init shared topology [09/Oct/2023:16:53:29.852943744 +0200] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=lix,dc=polytechnique,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [09/Oct/2023:16:54:39.861546593 +0200] - ERR - ldbm_back_ldbm2index - ldbm: 'ipaca' is already in the middle of another task and cannot be disturbed. [09/Oct/2023:16:54:39.867443983 +0200] - ERR - task_index_thread - Index failed (error -1)
It would also help if you can provide a description of your current certificate chain (the subject of the Root CA, if relevant the intermediate ones) or share your /etc/ipa/ca.crt file.
please find enclosed the ca.crt file. I you need more informations like the subject of the Root CA, I will need the commands :-(
You didn't clarify so far whether IPA was installed CA-less or with an embedded CA that was externally-signed. If you still have access to the first server that was installed, you can have a look at /var/log/ipaserver-install.log and check the options that were provided.
I think I was using an embedded CA that was externally-signed.
I get pem and key files, with them I create a pk12 file used with ipa-replica-prepare on another replica to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used for the ipa-replica-install
flo
Thank you for your help
Regards,
Frederic
Hi,
On Tue, Oct 10, 2023 at 9:26 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour Florence,
Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit :
The error is an LDAP error when adding an entry/attribute for the CA. Can you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen either on a ADD or on a MOD operation.
here are the errors
[09/Oct/2023:16:53:29.778822109 +0200] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [09/Oct/2023:16:53:29.792922239 +0200] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [09/Oct/2023:16:53:29.830898826 +0200] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend ipaca is coming online; checking domain level and init shared topology [09/Oct/2023:16:53:29.852943744 +0200] - ERR - cos-plugin - cos_dn_defs_cb
- Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=lix,dc=polytechnique,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [09/Oct/2023:16:54:39.861546593 +0200] - ERR - ldbm_back_ldbm2index - ldbm: 'ipaca' is already in the middle of another task and cannot be disturbed. [09/Oct/2023:16:54:39.867443983 +0200] - ERR - task_index_thread - Index failed (error -1)
It would also help if you can provide a description of your current certificate chain (the subject of the Root CA, if relevant the intermediate ones) or share your /etc/ipa/ca.crt file.
please find enclosed the ca.crt file. I you need more informations like the subject of the Root CA, I will need the commands :-(
The provided ca.crt file contains 3 certificates:
- a new one that is self-signed, recently created Issuer: O=LIX.POLYTECHNIQUE.FR, CN=New Certificate Authority Validity Not Before: Oct 9 14:54:41 2023 GMT Not After : Oct 9 14:54:41 2043 GMT Subject: O=LIX.POLYTECHNIQUE.FR, CN=New Certificate Authority
- an external root CA: Issuer: C=FR, O=CNRS, CN=CNRS2 Validity Not Before: Jan 21 08:51:13 2009 GMT Not After : Jan 21 08:51:13 2029 GMT Subject: C=FR, O=CNRS, CN=CNRS2
- an external intermediate CA, signed by the previous one: Issuer: C=FR, O=CNRS, CN=CNRS2 Validity Not Before: Jan 21 09:03:52 2009 GMT Not After : Jan 20 09:03:52 2029 GMT Subject: C=FR, O=CNRS, CN=CNRS2-Standard
So far it doesn't look like there was an IPA embedded CA signed by the external intermediate CA. Can you check the HTTP and LDAP server certificates with certutil? I would like to check who issued them.
Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find its nickname with # certutil -L -d /etc/httpd/alias/ | grep "u,u,u" *Server-Cert* u,u,u
Then get the subject and issue from the certificate: # certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep "Issuer:|Subject:"
For the LDAP server, same steps but at a different location: # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u" *Server-Cert* u,u,u
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* | egrep "Subject:|Issuer:"
If the issuer is an external CA, it's likely that your IPA deployment was installed CA-less.
The output of ipa config-show would also show if there was a server installed with a CA.
flo
You didn't clarify so far whether IPA was installed CA-less or with an
embedded CA that was externally-signed. If you still have access to the first server that was installed, you can have a look at /var/log/ipaserver-install.log and check the options that were provided.
I think I was using an embedded CA that was externally-signed.
I get pem and key files, with them I create a pk12 file used with ipa-replica-prepare on another replica to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used for the ipa-replica-install
flo
Thank you for your help
Regards,
Frederic
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Bonjour,
Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
So far it doesn't look like there was an IPA embedded CA signed by the external intermediate CA. Can you check the HTTP and LDAP server certificates with certutil? I would like to check who issued them. Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find its nickname with # certutil -L -d /etc/httpd/alias/ | grep "u,u,u" *Server-Cert* u,u,u
IPA3 u,u,u
Then get the subject and issue from the certificate: # certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep "Issuer:|Subject:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" Subject: "E=sysres@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr, Issuer:
For the LDAP server, same steps but at a different location: # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u" *Server-Cert* u,u,u
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* | egrep "Subject:|Issuer:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" Subject: "E=sysres@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr, Issuer:
If the issuer is an external CA, it's likely that your IPA deployment was installed CA-less.
Sorry I did misunderstood external CA. Now if I am right, I am using an external CA to get certs but this CA is not installed on the server
How can I install an internal CA in a CA-less server ?
The output of ipa config-show would also show if there was a server installed with a CA.
Sorry it is in french
Longueur maximale du nom d'utilisateur: 32 Base du répertoire utilisateur: /users Interpréteur de commande par défaut: /bin/bash Groupe utilisateur par défaut: ipausers Domaine par défaut pour les courriels: lix.polytechnique.fr Limite de temps d'une recherche: 2 Limite de taille d'une recherche: 1000 Champs de recherche utilisateur: uid,givenname,sn,telephonenumber,ou,title Champs de recherche de groupe: cn,description Activer le mode migration: TRUE Base de sujet de certificat: O=LIX.POLYTECHNIQUE.FR Notification d'expiration de mot de passe (jours): 4 Fonctionnalités du greffon mots de passe: AllowNThash Ordre de la mappe des utilisateurs SELinux: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 Types de PAC par défaut: MS-PAC, nfs:NONE Maîtres IPA: ipa3.lix.polytechnique.fr Serveurs NTP IPA: ipa3.lix.polytechnique.fr Maître de renouvellement d'AC IPA: ipa3.lix.polytechnique.fr
flo
Thank you
Regards,
Frederic
Hi,
On Thu, Oct 12, 2023 at 9:58 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
So far it doesn't look like there was an IPA embedded CA signed by the external intermediate CA. Can you check the HTTP and LDAP server certificates with certutil? I would like to check who issued them. Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find its nickname with # certutil -L -d /etc/httpd/alias/ | grep "u,u,u" *Server-Cert* u,u,u
IPA3 u,u,u
Then get the subject and issue from the certificate: # certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep "Issuer:|Subject:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" Subject: "
E=sysres@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr, Issuer:
For the LDAP server, same steps but at a different location: # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u" *Server-Cert* u,u,u
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* | egrep "Subject:|Issuer:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" Subject: "
E=sysres@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr, Issuer:
If the issuer is an external CA, it's likely that your IPA deployment was installed CA-less.
Sorry I did misunderstood external CA. Now if I am right, I am using an external CA to get certs but this CA is not installed on the server
How can I install an internal CA in a CA-less server ?
The output of ipa config-show would also show if there was a server installed with a CA.
Sorry it is in french
No problem :)
Longueur maximale du nom d'utilisateur: 32 Base du répertoire utilisateur: /users Interpréteur de commande par défaut: /bin/bash Groupe utilisateur par défaut: ipausers Domaine par défaut pour les courriels: lix.polytechnique.fr Limite de temps d'une recherche: 2 Limite de taille d'une recherche: 1000 Champs de recherche utilisateur: uid,givenname,sn,telephonenumber,ou,title Champs de recherche de groupe: cn,description Activer le mode migration: TRUE Base de sujet de certificat: O=LIX.POLYTECHNIQUE.FR Notification d'expiration de mot de passe (jours): 4 Fonctionnalités du greffon mots de passe: AllowNThash Ordre de la mappe des utilisateurs SELinux: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 Types de PAC par défaut: MS-PAC, nfs:NONE Maîtres IPA: ipa3.lix.polytechnique.fr Serveurs NTP IPA: ipa3.lix.polytechnique.fr Maître de renouvellement d'AC IPA: ipa3.lix.polytechnique.fr
If I recap everything so far:
- there is a single server, ipa3.lix.polytechnique.fr - it was installed CA-less, with http and ldap certificates issued by an external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate CA, signed by the root CA (C=FR, O=CNRS, CN=CNRS2)
Your goal is to "replace our external CA to an Internal one", do you mean that you want IPA to act as a certificate authority, or use a different CA authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?
flo
flo
Thank you
Regards,
Frederic
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit :
Hi,
If I recap everything so far:
- there is a single server, ipa3.lix.polytechnique.fr
It was part of a cluster but it is removed for the tests
- it was installed CA-less, with http and ldap certificates issued by an
external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate CA, signed by the root CA (C=FR, O=CNRS, CN=CNRS2)
exactly
Your goal is to "replace our external CA to an Internal one", do you mean that you want IPA to act as a certificate authority, or use a different CA authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?
As I am not able to use CNRS2-Standard, I need to use a different CA authority
I thought using IPA as a certificate authority was logical (and should also be easier) but I can be wrong :-(
flo
Frederic
Hi,
On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit :
Hi,
If I recap everything so far:
- there is a single server, ipa3.lix.polytechnique.fr
It was part of a cluster but it is removed for the tests
- it was installed CA-less, with http and ldap certificates issued by an
external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate
CA,
signed by the root CA (C=FR, O=CNRS, CN=CNRS2)
exactly
Your goal is to "replace our external CA to an Internal one", do you mean that you want IPA to act as a certificate authority, or use a different
CA
authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?
As I am not able to use CNRS2-Standard, I need to use a different CA authority
Ok, so you went through the right path by using ipa-ca-install. Now we
need to understand why the command failed. Can you share /var/log/ipareplica-ca-install.log? We may also need /var/log/pki/pki-ca-spawn.$date and /var/log/dirsrv/slap-LIX-POLYTECHNIQUE- FR/errors and access.
flo
I thought using IPA as a certificate authority was logical (and should
also be easier) but I can be wrong :-(
flo
Frederic
freeipa-users@lists.fedorahosted.org