Hi all,
Currently I'm setting up a FreeIPA instance on EL8 with the crypto-policy set to FUTURE.
When running the ipa-server-install program, it errors out when setting up the PKI infrastructure.
Below is the command I ran:
``` ipa-server-install --pki-config-override /root/freeipa_pki_override.cfg --setup-adtrust -p Banana123! -a Banana123! -r EXAMPLE.COM -U ```
As this command already shows, I already have some PKI override settings to ensure all created keys are 4096 bits long:
``` [CA] pki_ca_signing_key_size=4096 [DEFAULT] pki_admin_key_size=4096 pki_audit_signing_key_size=4096 pki_sslserver_key_size=4096 pki_subsystem_key_size=4096 ```
And even despite these settings, the command errors out giving me the message as below:
``` ..truncated.. [22/28]: enabling CA instance [23/28]: migrating certificate profiles to LDAP [24/28]: importing IPA certificate profiles [error] NetworkError: cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) cannot connect to 'https://ipa.lbhr.htm.lan:8443/ca/rest/account/login': [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542) The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ```
So _some_ certificate _somewhere_ is not strong enough, but I can't find which one it is and how to ensure it's strengthened sufficiently.
When I check the log file it shows basically the same message (except with a lot of Python stacktraces with 'NetworkError')
When I revert the crypto-policy back to DEFAULT the command as shown above will succeed.
Anyone have a clue? :)
Cheers!