Hi, On Tue, Oct 10, 2023 at 9:26 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Bonjour Florence, > > Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit : > > The error is an LDAP error when adding an entry/attribute for the CA. Can > you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any > errors reported at the same date (~2023-10-09T14:55:53Z)? The error would > happen either on a ADD or on a MOD operation. > > > here are the errors > > [09/Oct/2023:16:53:29.778822109 +0200] - ERR - attrcrypt_cipher_init - No > symmetric key found for cipher AES in backend ipaca, attempting to create > one... > [09/Oct/2023:16:53:29.792922239 +0200] - ERR - attrcrypt_cipher_init - No > symmetric key found for cipher 3DES in backend ipaca, attempting to create > one... > [09/Oct/2023:16:53:29.830898826 +0200] - ERR - ipa-topology-plugin - > ipa_topo_be_state_change - backend ipaca is coming online; checking domain > level and init shared topology > [09/Oct/2023:16:53:29.852943744 +0200] - ERR - cos-plugin - cos_dn_defs_cb > - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=lix,dc=polytechnique,dc=fr--no CoS Templates found, > which should be added before the CoS Definition. > [09/Oct/2023:16:54:39.861546593 +0200] - ERR - ldbm_back_ldbm2index - > ldbm: 'ipaca' is already in the middle of another task and cannot be > disturbed. > [09/Oct/2023:16:54:39.867443983 +0200] - ERR - task_index_thread - Index > failed (error -1) > > > It would also help if you can provide a description of your current > certificate chain (the subject of the Root CA, if relevant the intermediate > ones) or share your /etc/ipa/ca.crt file. > > > please find enclosed the ca.crt file. I you need more informations like > the subject of the Root CA, I will need the commands :-( > > The provided ca.crt file contains 3 certificates: - a new one that is self-signed, recently created Issuer: O=LIX.POLYTECHNIQUE.FR, CN=New Certificate Authority Validity Not Before: Oct 9 14:54:41 2023 GMT Not After : Oct 9 14:54:41 2043 GMT Subject: O=LIX.POLYTECHNIQUE.FR, CN=New Certificate Authority - an external root CA: Issuer: C=FR, O=CNRS, CN=CNRS2 Validity Not Before: Jan 21 08:51:13 2009 GMT Not After : Jan 21 08:51:13 2029 GMT Subject: C=FR, O=CNRS, CN=CNRS2 - an external intermediate CA, signed by the previous one: Issuer: C=FR, O=CNRS, CN=CNRS2 Validity Not Before: Jan 21 09:03:52 2009 GMT Not After : Jan 20 09:03:52 2029 GMT Subject: C=FR, O=CNRS, CN=CNRS2-Standard So far it doesn't look like there was an IPA embedded CA signed by the external intermediate CA. Can you check the HTTP and LDAP server certificates with certutil? I would like to check who issued them. Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find its nickname with # certutil -L -d /etc/httpd/alias/ | grep "u,u,u" *Server-Cert* u,u,u Then get the subject and issue from the certificate: # certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep "Issuer:|Subject:" For the LDAP server, same steps but at a different location: # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u" *Server-Cert* u,u,u # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* | egrep "Subject:|Issuer:" If the issuer is an external CA, it's likely that your IPA deployment was installed CA-less. The output of ipa config-show would also show if there was a server installed with a CA. flo You didn't clarify so far whether IPA was installed CA-less or with an > embedded CA that was externally-signed. If you still have access to the > first server that was installed, you can have a look at > /var/log/ipaserver-install.log and check the options that were provided. > > > I think I was using an embedded CA that was externally-signed. > > I get pem and key files, with them I create a pk12 file used with > ipa-replica-prepare on another replica > to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used for > the ipa-replica-install > > > flo > >> > Thank you for your help > > Regards, > > Frederic > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue