[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

[Florence Blanc-Renaud via FreeIPA-users]

On 12/13/2017 04:39 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:

My concern is, it looks much more restricted than the old root CA
cerificate:

# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust 
Attributes
                                                              
SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE 
CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,

Shouldn't it be "CT,C,C" as well?

:
:
Hi,

the flags here will be the same as the ones used with the command 
ipa-cacert-manage install -t <flags>. If I recall correctly, in most 
cases you need only C,, but if your deployment requires more flags (for 
instance the external CA is used to sign Smart Card certificates), you 
can tune this by providing the required flags in ipa-cacert-manage install.


ipa-cert-update said

# ipa-certupdate
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'schema' to json server 
'https://ipa1.example.de/ipa/json'
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 
'https://ipa1.example.de/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 
'https://ipa1.example.de/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

dmesg shows that there was a core dump:

[108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp 
00007fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000]

Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
ca.crt is still old. The files have been touched, but not replaced
by the new certificate.


AFAICT this is not as documented. Would you suggest to file a bug
report?

The files should contain multiple certificates (IPA CA and the external 
CA certificates). If it is not the case, please check first if there 
were AVC issues (if running in SElinux enforcing mode), and feel free to 
file a bug.

Flo

Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org