Hi, On Thu, Oct 12, 2023 at 6:24 PM Frederic Ayrault <f...@lix.polytechnique.fr> wrote:
> > Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit : > > Hi, > > The CA installation fails because it finds an existing entry in "cn= > LIX.POLYTECHNIQUE.FR IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr". It > really looks like your topology used to have a self-signed CA at one point. > > If you look at this entry, does it correspond to a CA known to you? > You can extract the certificate using > ldapsearch -D "cn=directory\ manager" -W -b "cn=LIX.POLYTECHNIQUE.FR IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o > ldif-wrap=no > which should show a value for cacertificate;binary:: <content> > > Then create a pem file with the format > -----BEGIN CERTIFICATE----- > <here paste the content> > -----END CERTIFICATE----- > and execute: openssl x509 -noout -text -in <pemfile> > > > I can see in Authority Information Access: > > OCSP - URI:http://ipa2.lix.polytechnique.fr:80/ca/ocsp > > > this is the server used to generate the > replica-info-ipa3.lix.polytechnique.fr.gpg file used to install the server > > openssl pkcs12 -export -chain -CAfile /root/CNRS2-All.crt -in > ipa3.lix.polytechnique.fr.pem -inkey ipa3.lix.polytechnique.fr.key -name > IPA3 -out ipa3.lix.polytechnique.fr.pk12 -passout pass:??? > ipa-replica-prepare --dirsrv_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 > --dirsrv_pin=??? --http_pkcs12=/root/ipa3.lix.polytechnique.fr.pk12 > --http_pin=??? ipa3.lix.polytechnique.fr > > > the CNRS2-All.crt is the same for all the servers and I get a pair of pem > and key files for each servers > > In CNRS2-All.crt, there are 3 certs from Issuer: C=FR, O=CNRS, CN=CNRS2 > > You mentioned in a previous email that the server was originally part of a > cluster but got "extracted" out of it to run the tests. Did this set of > servers have a self-signed IPA CA? In the logs we can see reference to 3 > different CA certificates for "CN=Certificate Authority, O= > LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). > It's really a confusing situation, as it's the subject that IPA CA would > use by default but it could also be a completely different origin. > > > I do not know how was installed the first server, but everytime I add to > renew the cert, I removed the server, generate the gpg file > and did a replica-install > This procedure is very creative :) When the HTTP and LDAP server certificates are about to expire, there is a tool that can help you install new ones: ipa-server-certinstall. It is documented in Installing Third-Party Certificates for HTTP or LDAP <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/third-party-certs-http-ldap>. No need to scratch the machine and reinstall as a replica, simply replace the certificates. > I thougt using --ca-subject for the ipa-ca-install should solve the > confusing situation. Can I delete or rename those 3 CA ? > Your current situation: there was a self-signed IPA CA in one of the servers, the replica was created without the CA role then extracted from the original topology. This means there are traces of the CA installation in the new replica but nothing to actually provide the service. So my answer really depends on what you want to achieve. If the new replica will never be connected any more to the previous topology, you could follow Fraser's blog about Removing the CA from a FreeIPA deployment <https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html> on the replica after it has been removed from the original topology, ensure that everything is cleanup and call ipa-ca-install on the new replica. This would ensure there is a new CA private key completely different from the original one. Please note that this blog provides instructions but 1. this is not an officially supported procedure and 2. the instructions intend to remove the CA, not reinstall a new one later on. flo > > > flo > > > Frédéric > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
