On 12/18/20 3:38 PM, Evg Hertz via FreeIPA-users wrote:
Hello I need to fix CA
Failed to authenticate to CA REST API
How I can reinstall/reconfigure only CA.
or export users(with hash passwords)/groups. and import on new installation.
Help me please.
Hi,
this error usually happens when the RA certificate is expired or
inconsistent with the entry stored in LDAP.
Can you provide more information regarding your deployment? How many
servers are installed, do they all provide the CA service? Which version
of IPA is installed?
Depending on the version, the RA cert can either be stored in
/var/lib/ipa/ra-agent.pem (ipa 4.5.0+) or in the NSS database
/etc/httpd/alias under the nickname ipaCert (older versions). You can
check if the certificate is expired with:
# getcert list -f /var/lib/ipa/ra-agent.pem | grep expires
or
# getcert list -d /etc/httpd/alias -n ipaCert | grep expires
If the certificate is not expired, you also need to check that the LDAP
entry is consistent:
# ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)" dn
usercertificate description
The usercertificate must contain in a single line the same value as
stored in the RA cert, without the header and footer (that can be seen with
# cat /var/lib/ipa/ra-agent.pem
or
# certutil -L -d /etc/httpd/alias -n ipaCert -a
)
and the description must have the format:
description: 2;<cert serial>;<issuer>;<subject>
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org