Kees Bakker wrote:
> On 12-07-2021 21:51, Rob Crittenden wrote:
>> Kees Bakker via FreeIPA-users wrote:
>>> Hi Flo,
>>>
>>> Do you have a hint how I can get to the point where I can execute
>>> the pki securitydomain-host-del command? All examples [2] on the
>>> Internet
>>> are from the time when there was a /root/ca-agent.p12 and ipaCert.
>>> I think that has been migrated to /var/lib/ipa/ra-agent.{key,pem} [1].
>>>
>>> Maybe you are going to say that I shouldn't need that pki command. But I
>>> have two deleted masters in the pki database. Using
>>> pki securitydomain-host-del seems the only way to get rid of them. If
>>> you
>>> have a better suggestion then please let me know.
>>>
>>> [1] https://www.freeipa.org/page/Releases/4.8.1
>>> [2] https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup
>> The CA agent is something different and not used by IPA at all. If your
>> installation is > 2 years old it is expired anyway.
>>
>> The dogtag documentation is woefully out-of-date in this regard
>> unfortunately (and yes, I realize I also live in a glass house regarding
>> wikis).
>>
>> You don't need to import anything, the entries you need are already
>> there. Try:
>>
>> # pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C
>> /etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA
>> ipa.example.test 443'
>
> Thanks Rob,
>
> That did it.
>
> I'm now almost there to get a clean outcome of ipa-healthcheck.
> It reports no errors anymore, but ... there is one healthcheck that
> wants a password. I have no idea what or why.
>
> [root@linge ~]# /usr/bin/ipa-healthcheck --source
> pki.server.healthcheck.clones.connectivity_and_data
> keyctl_search: Required key not available
> Enter password for Internal Key Storage Token:
> []
This comes out of the pki healthcheck plugins.
The check does some client cert connections, so I assume it needs the
NSS database password. I'm guessing it looks in the kernel keyring
(keyctl_search) and then prompts the user.
You can open an issue against them at
https://github.com/dogtagpki/pki/issues
rob
>
> -- Kees
>>
>> rob
>>
>>> -- Kees
>>>
>>> On 12-07-2021 15:01, Kees Bakker via FreeIPA-users wrote:
>>>> It is now time for me to try and follow the suggested pki commands.
>>>> However, I don't have a /root/ca-agent.p12
>>>>
>>>> There is quite a bit of documentation on the Internet, but it might
>>>> not all be
>>>> up-to-date.
>>>>
>>>> Here [1] the file /root/ca-agent.p12 is mentioned under "PKI Admin
>>>> Certificate".
>>>>
>>>> "PKI admin certificate is stored in several locations:
>>>>
>>>> /root/ca-agent.p12 with nickname ipa-ca-agent (misleading
>>>> nickname).
>>>> /root/.dogtag/pki-tomcat/ca_admin.cert
>>>> /root/.dogtag/pki-tomcat/ca_admin.cert.der
>>>> /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to
>>>> /root/ca-agent.p12)
>>>> "
>>>>
>>>> I don't have any of them. Then [1] continues with
>>>>
>>>> "PKI Agent Certificate
>>>>
>>>> PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:
>>>>
>>>> ipaCert (CN=IPA RA)
>>>>
>>>> For IPA Password Vault the certificate is exported and cached into
>>>> /etc/httpd/alias/kra-agent.pem since python-requests does not support
>>>> NSS. The cache is invalidated if the KRA authentication fails.
>>>> IPA Certificates
>>>>
>>>> IPA certificates are stored in /etc/httpd/alias:
>>>>
>>>> <REALM> IPA CA (CN=Certificate Authority)
>>>> <External CA DN>
>>>> ipa-ca-agent (CN=ipa-ca-agent)
>>>> ipaCert (CN=IPA RA)
>>>> Signing-Cert (CN=Object Signing Cert)
>>>> "
>>>>
>>>> But all I have in /etc/httpd/alias is a file ipasession.key
>>>>
>>>> I'm confused.
>>>>
>>>> [1] https://www.dogtagpki.org/wiki/IPA_Certificates
>>>> -- Kees
>>>>
>>>> On 14-06-2021 16:39, github--- via FreeIPA-users wrote:
>>>>> On 29-05-2021 10:21, Alexander Bokovoy wrote:
>>>>>> But I did use "ipa-csreplica-manage del" as well. However, I
>>>>>> remember that it
>>>>>> complained it couldn't remove that host. I was assuming it was
>>>>>> already gone.
>>>>>> When I list with ipa-csreplica-manage then I don't see the old hosts
>>>>>> anymore.
>>>>> Its worth noting my install (4.9.3) on Fedora `ipa-csreplica-manage
>>>>> del` just prints a deprecated message and doesn't seem to do anything.
>>>>>
>>>>>> So, two things
>>>>>> 1) "ipa-csreplica-manage del" somehow failed (it's probably too late
>>>>>> to look
>>>>>> at logs)
>>>>>> 2) how can I still remove the old hosts?
>>>>> I have/had the same problem. I used
>>>>> https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me auth
>>>>> into the CA to remove the dead host.
>>>>>
>>>>> pki client-cert-import --pkcs12 /root/ca-agent.p12
>>>>> --pkcs12-password [redact]
>>>>> pki -n ipa-ca-agent securitydomain-host-find
>>>>> # you need the full Host ID section to remove
>>>>> pki -n ipa-ca-agent securitydomain-host-del "CA
>>>>> freeipa2[redact].net 443"
>>>>>
>>>>> Keep in mind I'm fairly new to IPA, so maybe you don't want to do
>>>>> this on a production system without someone else more experienced
>>>>> chiming in. But, so far, the health check stopped complaining,
>>>>> replication is fine, and all my users can still log in.
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>> To unsubscribe send an email to
>>>>> freeipa-users-le...@lists.fedorahosted.org
>>>>> Fedora Code of Conduct:
>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>>>
>>>>>
>>>>> Do not reply to spam on the list, report it:
>>>>> https://pagure.io/fedora-infrastructure
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>>
>>>>
>>>> Do not reply to spam on the list, report it:
>>>> https://pagure.io/fedora-infrastructure
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>
>>>
>>> Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
