It is now time for me to try and follow the suggested pki commands.
However, I don't have a /root/ca-agent.p12
There is quite a bit of documentation on the Internet, but it might not all be
up-to-date.
Here [1] the file /root/ca-agent.p12 is mentioned under "PKI Admin Certificate".
"PKI admin certificate is stored in several locations:
/root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).
/root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert.der
/root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to /root/ca-agent.p12)
"
I don't have any of them. Then [1] continues with
"PKI Agent Certificate
PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:
ipaCert (CN=IPA RA)
For IPA Password Vault the certificate is exported and cached into
/etc/httpd/alias/kra-agent.pem since python-requests does not support NSS. The
cache is invalidated if the KRA authentication fails.
IPA Certificates
IPA certificates are stored in /etc/httpd/alias:
<REALM> IPA CA (CN=Certificate Authority)
<External CA DN>
ipa-ca-agent (CN=ipa-ca-agent)
ipaCert (CN=IPA RA)
Signing-Cert (CN=Object Signing Cert)
"
But all I have in /etc/httpd/alias is a file ipasession.key
I'm confused.
[1] https://www.dogtagpki.org/wiki/IPA_Certificates
-- Kees
On 14-06-2021 16:39, github--- via FreeIPA-users wrote:
On 29-05-2021 10:21, Alexander Bokovoy wrote:
But I did use "ipa-csreplica-manage del" as well. However, I remember that it
complained it couldn't remove that host. I was assuming it was already gone.
When I list with ipa-csreplica-manage then I don't see the old hosts anymore.
Its worth noting my install (4.9.3) on Fedora `ipa-csreplica-manage del` just
prints a deprecated message and doesn't seem to do anything.
So, two things
1) "ipa-csreplica-manage del" somehow failed (it's probably too late to look
at logs)
2) how can I still remove the old hosts?
I have/had the same problem. I used
https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me auth into the CA
to remove the dead host.
pki client-cert-import --pkcs12 /root/ca-agent.p12 --pkcs12-password
[redact]
pki -n ipa-ca-agent securitydomain-host-find
# you need the full Host ID section to remove
pki -n ipa-ca-agent securitydomain-host-del "CA freeipa2[redact].net 443"
Keep in mind I'm fairly new to IPA, so maybe you don't want to do this on a
production system without someone else more experienced chiming in. But, so
far, the health check stopped complaining, replication is fine, and all my
users can still log in.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure