Hi Florence,
Thank you for your reply.
Rob had pointed me on that direction but now when I try to run the
setup-le script with that version I get the following error:
1.
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
2.
ipalib.backend: DEBUG: Destroyed connection
context.rpcclient_140213913461328
3.
ipapython.admintool: INFO: The ipa-certupdate command was successful
4.
certutil: Server-Certisneither a key-typenor a nickname nor a
key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
And the correct setup of certificates fails.
Using the freeipa-letsencrypt commit 601f03b before "Move from mod_nss
to mod_ssl". Not sure what to do next.
On 11/06/2020 08:31, Florence Blanc-Renaud wrote:
On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote:
Hi Rob,
Thanks a lot for your reply.
It's because you are in the middle of an upgrade. You can add
--skip-version-check to not do the upgrade until after the certs are
renewed.
Amazing! So I turned back the clock and:
# ipactl restart --ignore-service-failure --skip-version-check
Skipping version check
Failed to get service list from file: Unknown error when retrieving
list of services from file: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Forced restart, ignoring pki-tomcatd Service, continuing normal
operation
Restarting ipa-otpd Service
Restarting ipa-ods-exporter Service
Restarting ods-enforcerd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
I did as Florence said and set the time back.
Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as
necessary and ran setup-le.sh
It shows some errors like, I am including the full output here:
https://pastebin.com/S07vqXLy
In the end has this:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection
context.rpcclient_140667189670224
ipapython.admintool: INFO: The ipa-certupdate command was successful
Error opening Private Key /var/lib/ipa/private/httpd.key
139927634605968:error:02001002:system library:fopen:No such file or
directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r')
139927634605968:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:404:
unable to load Private Key
The version of freeipa-letsencrypt that you are using is written for
IPA 4.7+, with httpd's private key stored in
/var/lib/ipa/private/httpd.key.
From your earlier messages it looks like you're using ipa 4.6, meaning
that httpd is configured with mod_nss (ie getting its cert/key from a
NSS database) instead of mod_ssl (ie getting its cert/key from a file).
In this case you should use an earlier version of freeipa-letsencrypt,
before the following commit:
cfaf511 Move from mod_nss to mod_ssl
HTH,
flo
These are just two different wrappers around let's encrypt
certificates. As long as it can find the key(s) then it should work
either way (one uses HTTP and one uses DNS). The real trick is what
version(s) of IPA those support and where it is looking for the
certificates. The cert locations and storage are different depending
on the version of IPA.
I am assuming the script from antevens uses DNS. But how can it not
matter if someone is using an up to date version of freeipa and
Florence mentioned
- ipaCert is not stored any more in the NSS database
/etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem}
So if this has changed and the scripts of that letsencrypt repo
haven't been edited in over an year, is it supposed to work? Or is it
not compliant with the latest IPA versions?
Btw, after setup-le.sh finished I set the time back and rebooted the
server. It seems like now it's not coming up at all ..... I'll have
to VNC to it and see what happened....
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
Ricardo Mendes
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org