Hi, On Mon, Apr 15, 2024 at 6:22 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Bonjour Florence, > Thanks for your help. > > I am using the docker image `freeipa/freeipa-server:fedora-34-4.9.6`, I > guess the dependencies are correct as this is all bundled in the container, > (though there might exists config mismatched if ipa upgrades failed > containers updates). > Se-linux is disabled on host and in the container. > > I made progress by fixing the missing instanceRoot parameter in the config > file. > > Now I think I am stuck in a deadlock, because of letsencrypt certificates > used for httpd/ldap (installed with ipa-cacert-manage) . > > The certificated managed by freeipa is expired, but the letsencrypt one > have renewed and there is no overlap of their period of validity. > > - If I set back the date to when the freeipa certs are valid, pki > connection to the ldap fails, as the letsencrypt one is not yet valid. > error is `SEVERE: Unable to create socket: > org.mozilla.jss.ssl.SSLSocketException: > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) > Peer's Certificate has expired.` I think the message says expired for > not-yet-valid certs too. > > - If I use the current time, it is not possible to start the pki-server as > the certs are expired. ( at least that's my guess, error is > :`netscape.ldap.LDAPException: Authentication failed (48)` not much more > details) > > I was thinking about trying to: > - set the date to when the freeipa managed certs were still valid. > - manually generate a certificate/key from the CA (not sure how exactly, > though) > - copy these certificate and key in the httpd and ldap config folder at > the right place. > If you have a backup of the previous http/ldap certs you can put them back in place. > - try to spin-up the pki-tomcat, hoping that it works. > - then hope that it auto-renews certs or manually trigger the renewal. > - move the date back to today, maybe by increments that cover the certs > validity, and trigger certs renewal at each increment. > > Would that make sense? > Do you see any more sensible/simpler way? > > You mentioned that you already tried ipa-cert-fix, what was the output? flo Many thanks! > > Basile > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue