Hi,
On Thu, Sep 21, 2023 at 5:04 PM Cristian Le via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I have tried my luck around with all the helpers: `pki-server
cert-fix`,
`ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me
for multiple reasons.
- `ipa-cacert-manage` Cannot update the CA with `--external-cert-file`
because the root ca is not detected to be in the trust list
This command is useful if you need to trust a new external CA or renew IPA
CA. Is your IPA CA expired?
- `ipa-cert-fix` Was run without overlapping validity time, and the
certificate were re-created, so now it is not recoverable, neither
back in
time, nor in current time
It is recommended to do a backup before running ipa-cert-fix. If you
didn't, and want to try the back-in-time method, you can still find the
original certificates in the LDAP database (below
ou=certificateRepository,ou=ca,o=ipaca) but it requires a bit of searching.
You would need to restore the expired certificates, go back in time and
force the renewal.
- `pki-tomcat` is failing
What is the current situation? Which certs are expired (getcert list)? If
you start
the services with "ipactl start --ignore-service-failures", is
pki-tomcat the only service failing?
flo
It is quite a mess and I would like to ask for some guidance on how one
could recover manually from such dependency issues:
- Is it possible to do a `ipa-server-install` and keep the user data?
- If I sign all of the service's certificates manually, what are all of the
manual steps needed to get the services back up so that the helpers
can be
run.
- I've tried to install the CA certificate in the nssdb database, ldap,
and /etc/ipa/ca.crt. Are there other locations?
- I've recreated an httpd certificate signed by the root, but I can't
figure how to do the same with the ones located in the nssdb database, i.e.
to recreate a csr with the same data as one of the certificates there
- What is the order of services that should be updated. My understanding
is CA -> `certutil`'s CA -> httpd + slapd + pki-tomcat (not sure where the
last one is or how to edit it) -> `ipa-certupdate`
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue