Bonjour,
Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Bonjour, When I run the command, I get this message
CA is not configured on this system The ipa-cacert-manage command failed.
"replace our external CA to an Internal one", do you mean that IPA was installed CA-less (with HTTP and LDAP certificates provided by an external CA), or with an embedded CA signed by an external CA?
In the first case, you need to install a CA on any of the IPA servers, using ipa-ca-install. This will create an IPA CA, then you need to download this new IPA CA certificate on all your IPA machines (server/replicas/clients) with ipa-certupdate. Please note that this does not replace the HTTP and LDAP server certificates. Also note that it is recommended to install the CA services on at least 2 servers (using ipa-ca-install on the other server). Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
when I run the command ipa-ca-install, I get
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate with subject CN=Certificate Authority,O=LIX.POLYTECHNIQUE.FR is present in /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/, cannot continue.
In the second case, you need to identify where the CA role is already installed (ipa config-show displays the list of servers with the CA role), and run the command provided by Rizwan on this node. Full doc is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
ipa config-show does not display any CA server
HTH, flo
Thank you
Regards,
Thank you Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique <http://www.lix.polytechnique.fr> fred@lix.polytechnique.fr <mailto:fred@lix.polytechnique.fr> Le 09/10/2023 à 09:11, Mohammad Rizwan Yusuf a écrit :
Hello, What procedure did you follow to renew your CA from external to self-signed. Please look at the this dochttps://www.freeipa.org/page/V4/CA_certificate_renewal#ca-certificate-management-utility |$ ipa-cacert-manage renew --self-signed| Above command should renew CA to self-signed | | On Sun, Oct 8, 2023 at 5:40 PM Frederic Ayrault via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Bonjour, I need to replace our external CA to an Internal one. We tried several ways without success. One of them was to do a backup with ipa-backup or db2bak reinstall the serveur with an internal CA and restore the datas. But this also restore the external CA. Is there a way to backup or restore only the users, groups, roles, ... ? I am still running ipa 4.6.8 from Centos7 Thank you Regards, Frederic Frédéric AYRAULT Administrateur Systèmes et Réseaux Laboratoire d'Informatique de l'Ecole polytechnique <http://www.lix.polytechnique.fr> fred@lix.polytechnique.fr <mailto:fred@lix.polytechnique.fr> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- -- Regards Mohammad Rizwan He/Him/His IM: rizwan
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue