On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > Mark Haney via FreeIPA-users wrote: > > On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: > >> > >> you can connect to IPA web UI on the server to revoke the cert: > >> https://server.ipadomain.com/ipa/ui, then navigate to Authentication > > >> Certificates, click on the certificate corresponding to the replica > >> which failed installation (CN=<replica>,o=DOM...) and then Actions > > >> Revoke Certificate (superseded). > >> > >> Flo > > > > Okay, this is just bloody stupid. It should NOT be that hard to build a > > bloody replica of an existing LDAP server. It's beyond insane. I > > revoked the certs of ipa1 off ipa0, built a new ipa-replica file on > > ipa0, copied to ipa1 and ran ipa-replica-install > > replica-info-ipa1.neonova.net.gpg --setup-ca and it FAILED AGAIN. > > The cert revocation it not necessary but is a nice cleanup (you don't > want copies of the cert floating around). Every time ipa-replica-prepare > is run a new set of certs is issued. > > > It seems the issue is that ipa1 can't find the GoDaddy supplied certs we > > are using for the web UI /only/. I expected that ALL certs would be > > replicated over, but apparently that would be FAR too convenient. It's > > silly crap like this that keeps LDAP from being anything more than a > > giant PITA and pushes people to not-centralize linux accounts outside of > > maybe AD (which in itself is sad). > > 1. IPA proxies the CA behind its web server so the server cert and CA > chain are VERY important. > 2. Blame freeIPA if anything, not LDAP. > 3. This isn't a replication issue. From what I can tell from the replica > log the CA chain is shipped over but for some reason the dogtag (CA) > installer can't find them after a certain point. > > > The failure is exactly that as the previous 4 times I've tried this. > > Why isn't the GoDaddy signed certs 1) not being found despite being on > > the server and 2) not carried over in the ipa-replica-prepare package? > > > > This really should be a straightforward process. The fact it isn't, and > > the documentation being called sparse would be an insult to that word, > > I'm at my wits end. > > > > Does anyone have ANY ideas on why the GoDaddy signed certs aren't behaving? > > > > Providing the dogtag debug log might be helpful. The replica install log > shows that the GoDaddy CA chain was imported and trusted reasonably > (C,,) but the installer later claims it can't find them by nickname. I > think we need Fraser to take a closer look as he's a dogtag developer. > > rob > Hi Mark,
Thank you for reporting your issue, for the information you have provided and for bearing with us as we investigate it. The CA is a complex part of the FreeIPA system with many moving parts so it can take a while to get to the bottom of things. I am travelling this week though I hope to find some time to start looking into this tomorrow. Realistically I will not have a lot of time to focus on this issue until next week. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
