Hey all, I am troubleshooting an authentication issue with my clients that happened after a mass PKI cert expiration on my third party CA (root, issuer, and a ton of others). When I authenticate on a client to IPA, it sends my request to the RADIUS server (RSA Auth Mgr) and prompts for first token and second token. Once I enter those, it lets me in (SSH). But for xRDP, it keeps failing and the only log I have on RSA is "bad tokencode but good PIN". I do see an error code 7 in one of the logs (was it secure log?).
So that is how I got to where I am. I looked at /etc/krb5.conf and it points to two files: /var/lib/ipa-client/pki/ca-bundle /var/lib/ipa-client/pki/kdc-ca-bundle When I look at the certs in these files, I do see the expired root and issuer (and a valid IPA certificate authority cert). What is the proper way to update these two third party certs in these files on the ipa clients? Should I use keytool/openssl to rip the old ones out and import the new PEM files? I believe I already dropped these two certs under /etc/pki/ca-trust/source/anchors/ and ran "update-ca-trust" but these files seem remain invalid. Just looking for the proper way, so appreciate the help! -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
