date:20221118

[Freeipa-users] ipa-healthcheck errors

2022-11-18 Thread Rob Verduijn via FreeIPA-users

Hello,

After todays update I noticed I am now running rocky 8.7

freeipa was updated just fine and is working nicely.

However after running ipa-healthcheck I was treated with a HUGE amount of
errors.

After some digging I found that certmonger stopped tracking of all my certs.

Figuring out how to get all the certs tracked again took quite some time
examples or hints on how to do this are sadly missing in ipa-healthcheck
they would have been very usefull

So now all untracked certs are tracked and no longer in ipa-healthcheck
output.
But there are still quite a few errors left which have no clue

Does anybody know how to fix the errors from ipa-healthcheck ? (see txt
below)

Any help would be appreciated
Rob

ipa-healthcheck
args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object',
'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0,
'(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'],
'serverctrls': None, '
clientctrls': None, 'escapehatch': 'i am sure'}) on instance
TJAKO-THUIS"},)
[
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertTracking",
   "result": "CRITICAL",
   "uuid": "711d096f-c1a8-4528-873d-522498811fbf",
   "when": "20221118235210Z",
   "duration": "2.149582",
   "kw": {
 "exception": "bus, object_path and dbus_interface must not be None."
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertDNSSAN",
   "result": "CRITICAL",
   "uuid": "06997e50-52cd-4240-9b90-41cd7bf9e9f6",
   "when": "20221118235212Z",
   "duration": "2.599630",
   "kw": {
 "exception": "bus, object_path and dbus_interface must not be None."
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "CRITICAL",
   "uuid": "5fe7388f-6ec6-433f-87df-4596eabee060",
   "when": "20221118235224Z",
   "duration": "2.801779",
   "kw": {
 "exception": "bus, object_path and dbus_interface must not be None."
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertmongerCA",
   "result": "ERROR",
   "uuid": "7a588ee8-f3f0-4db4-91d0-b236a9dcbb81",
   "when": "20221118235224Z",
   "duration": "0.009275",
   "kw": {
 "key": "dogtag-ipa-ca-renew-agent-reuse",
 "msg": "Certmonger CA '{key}' missing"
   }
 },
 {
   "source": "ipahealthcheck.ipa.files",
   "check": "IPAFileCheck",
   "result": "CRITICAL",
   "uuid": "2e82818e-7210-4cf2-bd99-7490841348c6",
   "when": "20221118235226Z",
   "duration": "0.199291",
   "kw": {
 "exception": "bus, object_path and dbus_interface must not be None."
   }
 }
]
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-18 Thread Sean McLennan via FreeIPA-users

> I'm asking you to compare because it's unexpected to see a subject
> CN=localhost for the IPA CA. Someone has probably messed up with some
> commands and replaced the original IPA CA with a wrong one in the
> /etc/pki/pki-tomcat/alias database. If that's the case, we can put the
> right CA back with certutil commands but we need to be sure what to put
> there.

Good call—they are completely different:

/etc/ipa/ca.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = SIMPLYWS.COM, CN = Certificate Authority
Validity
Not Before: Nov 14 21:09:26 2020 GMT
Not After : Nov 14 21:09:26 2040 GMT
Subject: O = , CN = Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)

and the one in the pki-tomcat/alias db is:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = SIMPLYWS.COM, CN = Certificate Authority
Validity
Not Before: Nov 21 21:11:50 2020 GMT
Not After : Nov 11 21:11:50 2022 GMT
Subject: CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)

How do we replace that one?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ghost replica for radius server

2022-11-18 Thread Rob Crittenden via FreeIPA-users

Grant Janssen via FreeIPA-users wrote:
> that was easy - THANX Florence.
> 
> My ghost replica still doesn’t show in ipa_check_consistency.
> Any ideas on that?
> 
> grant@radius01:~[20221118-3:56][#97]$ ipa server-state $HOSTNAME
> --state=enabled
> ipa: WARNING: Automatic update of DNS system records failed. Please
> re-run update of system records manually to get list of missing records.
> 
> Changed server state of "radius01.production.efilm.com
> <http://radius01.production.efilm.com>".
> ----
> grant@radius01:~[20221118-3:57][#98]$ sudo ipa-pkinit-manage status
> PKINIT is disabled
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221118-3:58][#99]$ sudo ipa-pkinit-manage enable
> Configuring Kerberos KDC (krb5kdc)
>   [1/1]: installing X509 Certificate for PKINIT
> Done configuring Kerberos KDC (krb5kdc).
>     The ipa-pkinit-manage command was successful
> grant@radius01:~[20221118-3:58][#100]$ ipa server-state $HOSTNAME
> --state=hidden
> ipa: WARNING: Automatic update of DNS system records failed. Please
> re-run update of system records manually to get list of missing records.
> 
> Changed server state of "radius01.production.efilm.com
> <http://radius01.production.efilm.com>".
> 
> grant@radius01:~[20221118-3:59][#101]$ ipa_check_consistency -d
> PRODUCTION.EFILM.COM <http://PRODUCTION.EFILM.COM> -W **
> FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04  
>  STATE
> =
> Active Users        349         349         349         349        
> OK   
> Stage Users         7           7           7           7          
> OK   
> Preserved Users     5           5           5           5          
> OK   
> User Groups         42          42          42          42        
>  OK   
> Hosts               423         423         423         423        
> OK   
> Host Groups         23          23          23          23        
>  OK   
> HBAC Rules          9           9           9           9          
> OK   
> SUDO Rules          35          35          35          35        
>  OK   
> DNS Zones           ERROR       ERROR       ERROR       ERROR      
> OK   
> LDAP Conflicts      NO          NO          NO          NO        
>  OK   
> Ghost Replicas      NO          NO          NO          NO        
>  OK   
> Anonymous BIND      YES         YES         YES         YES        
> OK   
> Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0  
>     
>                     ef-idm03 0  ef-idm01 0  ef-idm01 0              
>     
>                     ef-idm04 0                                      
>     
>                     radius01 0                                      
>     
> =
> grant@radius01:~[20221118-4:05][#102]$sudo ipa-pkinit-manage status
> [sudo] password for grant: 
> PKINIT is enabled
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221118-4:06][#103]$
> 
> 
> When I add the _ldap._tcp and _ldaps._tcp SRV records for the radius
> server, ipa_check_consistency shows the replication is good, but it
> still doesn’t appear as a Ghost.
> 
> grant@radius01:~[20221118-4:47][#106]$ipa_check_consistency -d
> PRODUCTION.EFILM.COM <http://PRODUCTION.EFILM.COM> -W **
> FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04  
>  radius01    STATE
> 
> =
> Active Users        349         349         349         349        
> 349         OK   
> Stage Users         7           7           7           7          
> 7           OK   
> Preserved Users     5           5           5           5          
> 5           OK   
> User Groups         42          42          42          42        
>  42          OK   
> Hosts               423         423         423         423        
> 423         OK   
> Host Groups         23          23          23          23        
>

[Freeipa-users] Re: ghost replica for radius server

2022-11-18 Thread Grant Janssen via FreeIPA-users

that was easy - THANX Florence.

My ghost replica still doesn’t show in ipa_check_consistency.
Any ideas on that?

grant@radius01:~[20221118-3:56][#97]$ ipa server-state $HOSTNAME --state=enabled
ipa: WARNING: Automatic update of DNS system records failed. Please re-run 
update of system records manually to get list of missing records.

Changed server state of 
"radius01.production.efilm.com<http://radius01.production.efilm.com>".

grant@radius01:~[20221118-3:57][#98]$ sudo ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-3:58][#99]$ sudo ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-3:58][#100]$ ipa server-state $HOSTNAME --state=hidden
ipa: WARNING: Automatic update of DNS system records failed. Please re-run 
update of system records manually to get list of missing records.

Changed server state of 
"radius01.production.efilm.com<http://radius01.production.efilm.com>".
----
grant@radius01:~[20221118-3:59][#101]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> -W **
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
=
Active Users349 349 349 349 OK
Stage Users 7   7   7   7   OK
Preserved Users 5   5   5   5   OK
User Groups 42  42  42  42  OK
Hosts   423 423 423 423 OK
Host Groups 23  23  23  23  OK
HBAC Rules  9   9   9   9   OK
SUDO Rules  35  35  35  35  OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
LDAP Conflicts  NO  NO  NO  NO  OK
Ghost Replicas  NO  NO  NO  NO  OK
Anonymous BIND  YES YES YES YES OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=
grant@radius01:~[20221118-4:05][#102]$ sudo ipa-pkinit-manage status
[sudo] password for grant:
PKINIT is enabled
The ipa-pkinit-manage command was successful
grant@radius01:~[20221118-4:06][#103]$

When I add the _ldap._tcp and _ldaps._tcp SRV records for the radius server, 
ipa_check_consistency shows the replication is good, but it still doesn’t 
appear as a Ghost.

grant@radius01:~[20221118-4:47][#106]$ ipa_check_consistency -d 
PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM> -W **
FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04radius01
STATE
=
Active Users349 349 349 349 349 
OK
Stage Users 7   7   7   7   7   
OK
Preserved Users 5   5   5   5   5   
OK
User Groups 42  42  42  42  42  
OK
Hosts   423 423 423 423 423 
OK
Host Groups 23  23  23  23  23  
OK
HBAC Rules  9   9   9   9   9   
OK
SUDO Rules  35  35  35  35  35  
OK
DNS Zones   ERROR   ERROR   ERROR   ERROR   ERROR   
OK
LDAP Conflicts  NO  NO  NO  NO  NO  
OK
Ghost Replicas  NO  NO  NO  NO  NO  
OK
Anonymous BIND  YES YES YES YES YES 
OK
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0  ef-idm01 0
ef-idm03 0  ef-idm01 0  ef-idm01 0
ef-idm04 0
radius01 0
=====
grant@radius01:~[20221118-4:52][#107]$

thanx

- grant


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fed

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

2022-11-18 Thread Alexander Bokovoy via FreeIPA-users

On pe, 18 marras 2022, Sam Morris via FreeIPA-users wrote:

On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote:

Rob Crittenden wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob

More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022

Thanks team. A comment about the RHEL 9 encryption policies:

Kerberos encryption types using SHA-1 algorithm to calculate a

checksum were also disabled by default [in RHEL 9].

This change also means there are no common encryption types for

Active Directory interoperability [...]

Maybe I'm missing something, but I think this is only true when
talking about the FUTURE policy? The DEFAULT policy still has
aes*-cts-hmac-sha1-96 enabled:

# cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
aes128-cts-hmac-sha1-96

Sorry, it should have said FIPS. The default allows those two enctypes,
FIPS does not allow them. FIPS:AD-SUPPORT would have allowed them.

(I too have wondered why it's taken so long for MS to implement
stronger HMAC algorithms... and kill off RC4 once and for all...)

I hope for an improvement too. ;)

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

2022-11-18 Thread Sam Morris via FreeIPA-users

On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote:

Rob Crittenden wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob

More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022

Thanks team. A comment about the RHEL 9 encryption policies:

> Kerberos encryption types using SHA-1 algorithm to calculate a 
checksum were also disabled by default [in RHEL 9].

> This change also means there are no common encryption types for 
Active Directory interoperability [...]

Maybe I'm missing something, but I think this is only true when talking 
about the FUTURE policy? The DEFAULT policy still has 
aes*-cts-hmac-sha1-96 enabled:

# cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 
aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96

(I too have wondered why it's taken so long for MS to implement stronger 
HMAC algorithms... and kill off RC4 once and for all...)

Regards,

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ghost replica for radius server

2022-11-18 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,

I believe you are hitting a known issue:
2132047  Check hidden
status for PKINIT certificate creation

The workaround is to set the replica as not hidden (ipa server-state
$HOSTNAME --state=enabled), re-run ipa-pkinit-manage enable on the replica,
then re-hide the replica with ipa server-state $HOSTNAME --state=hidden.
HTH,
flo

On Fri, Nov 18, 2022 at 4:34 AM Grant Janssen via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Building a radius server, and decided this was an ideal application for a
> hidden replica.
> I got some errors in the replica install, and the consistency check does
> not show a ghost replica (but does show my radius host in Replication
> Status.)
> I run external DNS, this radius host has only has A and PTR records.
>
> grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install
> --setup-ca --hidden-replica
> Password for ad...@production.efilm.com: *
>
> WARNING: 376 existing users or groups do not have a SID identifier
> assigned.
> Installer can run a task to have ipa-sidgen Directory Server plugin
> generate
> the SID identifier for all these users. Please note, in case of a high
> number of users and groups, the operation might lead to high replication
> traffic and performance degradation. Refer to ipa-adtrust-install(1) man
> page
> for details.
>
> Do you want to run the ipa-sidgen task? [no]: no
> Run connection check to master
> Connection check OK
> -snip-
>   [28/30]: importing IPA certificate profiles
> Lookup failed: Preferred host radius01.production.efilm.com does not
> provide CA.
> Lookup failed: Preferred host radius01.production.efilm.com does not
> provide CA.
> Failed to import profile 'acmeIPAServerCert': Request failed with status
> 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade
> when installation is completed may resolve this issue.
>   [29/30]: configuring certmonger renewal for lightweight CAs
>   [30/30]: deploying ACME service
> Done configuring certificate server (pki-tomcatd).
> Configuring Kerberos KDC (krb5kdc)
>   [1/1]: installing X509 Certificate for PKINIT
> PKINIT certificate request failed: Certificate issuance failed
> (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json
> failed request, will retry: 903 (an internal error has occurred).)
> Failed to configure PKINIT
> Full PKINIT configuration did not succeed
> The setup will only install bits essential to the server functionality
> You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
> Done configuring Kerberos KDC (krb5kdc).
> Applying LDAP updates
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/10]: stopping directory server
>   [2/10]: saving configuration
>   [3/10]: disabling listeners
> -snip-
>   [7/7]: adding fallback group
> Fallback group already set, nothing to do
> Done.
> The ipa-replica-install command was successful
> grant@radius01:~[20221117-13:51][#90]$
>
>
> check consistency
>
> grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d
> PRODUCTION.EFILM.COM -W *
> FreeIPA servers:ef-idm01ef-idm02ef-idm03ef-idm04STATE
> =
> Active Users349 349 349 349 OK
> Stage Users 7   7   7   7   OK
> Preserved Users 5   5   5   5   OK
> User Groups 42  42  42  42  OK
> Hosts   423 423 423 423 OK
> Host Groups 23  23  23  23  OK
> HBAC Rules  9   9   9   9   OK
> SUDO Rules  35  35  35  35  OK
> DNS Zones   ERROR   ERROR   ERROR   ERROR   OK
> LDAP Conflicts  NO  NO  NO  NO  OK
> Ghost Replicas  NO  NO  NO  NO  OK
> Anonymous BIND  YES YES YES YES OK
> Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
> ef-idm03 0  ef-idm01 0  ef-idm01 0
> ef-idm04 0
> radius01 0
> =
> grant@radius01:~[20221117-13:53][#93]$
>
>
> I executed ipa-server-upgrade as suggested
>
> grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade
> [sudo] password for grant:
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/11]: stopping directory server
>   [2/11]: saving configuration
>   [3/11]: disabling listeners
>   [4/11]: enabling DS global lock
>   [5/11]: disabling Schema Compat
>   [6/11]: starting directory server
>   [7/11]: updating schema
>   [8/11]: upgrading server
> Add failure attribute "cn" not allowed
>   [9/11]:

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-18 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,

On Thu, Nov 17, 2022 at 7:59 PM Sean McLennan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

>
> > ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11
> but
> > it definitely looks wrong, unless IPA was installed with custom (and
> > puzzlin) options: subject CN=localhost.
> >
> > How was IPA installed? The default settings would install a self-signed
> CA
> > with subject CN=Certificate Authority,O=IPA.TEST for instance.
> > What is the content of /etc/ipa/ca.crt? You should see the original IPA
> CA
> > in this file.
>
> Yeah, I just used 'ipa-server-install' and as much default as possible.
> Definitely wasn't trying anything fancy.  I do still have the original
> install log (and my entire command history) if there's something worth
> looking for in there.
>
> /etc/ipa/ca.crt is just "-BEGIN CERTIFICATE-[text]-END
> CERTIFICATE-"; should there be something more informative in there?
>

You can compare the CA cert that is stored in this file and the one that is
stored in the /etc/pki/pki-tomcat/alias database.
To compare the PEM content:
# cat /etc/ipa/ca.crt
# certutil -L -d /etc/pki/pki-tomcat/alias/  -n 'caSigningCert cert-pki-ca'
-a
You should see the same content.

Or if you want to see the certificate details:
# openssl x509 -noout -text -in /etc/ipa/ca.crt
# certutil -L -d /etc/pki/pki-tomcat/alias/  -n 'caSigningCert cert-pki-ca'
You should see the same values (subject, issuers, validity, serial
number...)

I'm asking you to compare because it's unexpected to see a subject
CN=localhost for the IPA CA. Someone has probably messed up with some
commands and replaced the original IPA CA with a wrong one in the
/etc/pki/pki-tomcat/alias database. If that's the case, we can put the
right CA back with certutil commands but we need to be sure what to put
there.

flo

>
> Any thoughts on what I can try to renew these?
>
> As an aside: Honestly, I would love nothing more than to get IPA off of
> this damn server and onto one that is actually supported and can, you know,
> but updated. :[  My impression is that the only way I can do that though is
> through replicating it to another instance and promoting the new
> one/retiring the old one... but like I said, I have tried many times to add
> another and have been unsuccessful. Is there a way to restore the data from
> a backup into a new install?
>
> PS. Thank you for replying; I appreciate the help.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] ipa-healthcheck errors

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

[Freeipa-users] Re: ghost replica for radius server

[Freeipa-users] Re: ghost replica for radius server

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Freeipa-users] Re: ghost replica for radius server

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

8 matches

Site Navigation

Mail list logo

Footer information