Hi,
On Tue, Oct 10, 2023 at 9:26 AM Frederic Ayrault via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Bonjour Florence,
>
> Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit :
>
> The error is an LDAP error when adding an entry/attribute for the CA. Can
> you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any
> errors reported at the same date (~2023-10-09T14:55:53Z)? The error would
> happen either on a ADD or on a MOD operation.
>
>
> here are the errors
>
> [09/Oct/2023:16:53:29.778822109 +0200] - ERR - attrcrypt_cipher_init - No
> symmetric key found for cipher AES in backend ipaca, attempting to create
> one...
> [09/Oct/2023:16:53:29.792922239 +0200] - ERR - attrcrypt_cipher_init - No
> symmetric key found for cipher 3DES in backend ipaca, attempting to create
> one...
> [09/Oct/2023:16:53:29.830898826 +0200] - ERR - ipa-topology-plugin -
> ipa_topo_be_state_change - backend ipaca is coming online; checking domain
> level and init shared topology
> [09/Oct/2023:16:53:29.852943744 +0200] - ERR - cos-plugin - cos_dn_defs_cb
> - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=lix,dc=polytechnique,dc=fr--no CoS Templates found,
> which should be added before the CoS Definition.
> [09/Oct/2023:16:54:39.861546593 +0200] - ERR - ldbm_back_ldbm2index -
> ldbm: 'ipaca' is already in the middle of another task and cannot be
> disturbed.
> [09/Oct/2023:16:54:39.867443983 +0200] - ERR - task_index_thread - Index
> failed (error -1)
>
>
> It would also help if you can provide a description of your current
> certificate chain (the subject of the Root CA, if relevant the intermediate
> ones) or share your /etc/ipa/ca.crt file.
>
>
> please find enclosed the ca.crt file. I you need more informations like
> the subject of the Root CA, I will need the commands :-(
>
> The provided ca.crt file contains 3 certificates:
- a new one that is self-signed, recently created
Issuer: O=LIX.POLYTECHNIQUE.FR, CN=New Certificate Authority
Validity
Not Before: Oct 9 14:54:41 2023 GMT
Not After : Oct 9 14:54:41 2043 GMT
Subject: O=LIX.POLYTECHNIQUE.FR, CN=New Certificate Authority
- an external root CA:
Issuer: C=FR, O=CNRS, CN=CNRS2
Validity
Not Before: Jan 21 08:51:13 2009 GMT
Not After : Jan 21 08:51:13 2029 GMT
Subject: C=FR, O=CNRS, CN=CNRS2
- an external intermediate CA, signed by the previous one:
Issuer: C=FR, O=CNRS, CN=CNRS2
Validity
Not Before: Jan 21 09:03:52 2009 GMT
Not After : Jan 20 09:03:52 2029 GMT
Subject: C=FR, O=CNRS, CN=CNRS2-Standard
So far it doesn't look like there was an IPA embedded CA signed by the
external intermediate CA. Can you check the HTTP and LDAP server
certificates with certutil? I would like to check who issued them.
Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find its
nickname with
# certutil -L -d /etc/httpd/alias/ | grep "u,u,u"
*Server-Cert* u,u,u
Then get the subject and issue from the certificate:
# certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep
"Issuer:|Subject:"
For the LDAP server, same steps but at a different location:
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u"
*Server-Cert* u,u,u
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* |
egrep "Subject:|Issuer:"
If the issuer is an external CA, it's likely that your IPA deployment was
installed CA-less.
The output of ipa config-show would also show if there was a server
installed with a CA.
flo
You didn't clarify so far whether IPA was installed CA-less or with an
> embedded CA that was externally-signed. If you still have access to the
> first server that was installed, you can have a look at
> /var/log/ipaserver-install.log and check the options that were provided.
>
>
> I think I was using an embedded CA that was externally-signed.
>
> I get pem and key files, with them I create a pk12 file used with
> ipa-replica-prepare on another replica
> to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used for
> the ipa-replica-install
>
>
> flo
>
>>
> Thank you for your help
>
> Regards,
>
> Frederic
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
