Hi, On Mon, Oct 9, 2023 at 10:22 AM Frederic Ayrault <f...@lix.polytechnique.fr> wrote:
> Bonjour, > > Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Bonjour, >> >> When I run the command, I get this message >> >> CA is not configured on this system >> The ipa-cacert-manage command failed. >> >> >> "replace our external CA to an Internal one", do you mean that IPA was > installed CA-less (with HTTP and LDAP certificates provided by an external > CA), or with an embedded CA signed by an external CA? > > In the first case, you need to install a CA on any of the IPA servers, > using ipa-ca-install. This will create an IPA CA, then you need to download > this new IPA CA certificate on all your IPA machines > (server/replicas/clients) with ipa-certupdate. Please note that this does > not replace the HTTP and LDAP server certificates. Also note that it is > recommended to install the CA services on at least 2 servers (using > ipa-ca-install on the other server). Full doc is available at > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#CA-less-to-CA > > > when I run the command ipa-ca-install, I get > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Certificate with subject CN=Certificate Authority,O=LIX.POLYTECHNIQUE.FR > is present in /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/, cannot continue. > > Is this your external CA? I assume that its subject conflicts with the default subject name that IPA installer would pick. If that's the case, you can force ipa-ca-install to use a different subject name with the --ca-subject option. flo > > In the second case, you need to identify where the CA role is already > installed (ipa config-show displays the list of servers with the CA role), > and run the command provided by Rizwan on this node. Full doc is available > at > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#change-cert-chaining > > > ipa config-show does not display any CA server > > > HTH, > flo > > > Thank you > > Regards, > > > Thank you >> >> Regards, >> >> Frederic >> >> Frédéric AYRAULT >> Administrateur Systèmes et Réseaux >> Laboratoire d'Informatique de l'Ecole polytechnique >> <http://www.lix.polytechnique.fr> >> f...@lix.polytechnique.fr >> >> Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit : >> >> Hello, >> >> What procedure did you follow to renew your CA from external to >> self-signed. >> >> Please look at the this doc >> https://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-management-utility >> >> >> $ ipa-cacert-manage renew --self-signed >> Above command should renew CA to self-signed >> >> >> On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> Bonjour, >>> >>> I need to replace our external CA to an Internal one. >>> >>> We tried several ways without success. One of them was to do a backup >>> with ipa-backup or db2bak >>> reinstall the serveur with an internal CA and restore the datas. But >>> this also restore the external CA. >>> >>> Is there a way to backup or restore only the users, groups, roles, ... ? >>> >>> I am still running ipa 4.6.8 from Centos7 >>> >>> Thank you >>> >>> Regards, >>> >>> Frederic >>> >>> Frédéric AYRAULT >>> Administrateur Systèmes et Réseaux >>> Laboratoire d'Informatique de l'Ecole polytechnique >>> <http://www.lix.polytechnique.fr> >>> f...@lix.polytechnique.fr >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> >> >> -- >> >> -- >> >> Regards >> >> Mohammad Rizwan >> >> He/Him/His >> IM: rizwan >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
