On a RHEL 7 box, I installed the ipa-server package and set up a server without a CA successfully. Then I tried to manually add the CA functionality afterwards and, while the install appeared to work, the server can't properly access the dogtag instance through the proxy, which breaks a lot of functionality.
Logs here: https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
What am I doing wrong here?
Manually installing the cert at /etc/ipa/ca.cert and restarting Apache fixes the error, but it seems like whenever a cert renewal happens, I'll have to manually update it again. Which seems brittle.
On Mon, Mar 05, 2018 at 04:57:52PM -0000, John Seekins via FreeIPA-users wrote:
Manually installing the cert at /etc/ipa/ca.cert and restarting Apache fixes the error, but it seems like whenever a cert renewal happens, I'll have to manually update it again. Which seems brittle.
The ipa-certupdate(1) command will update all relevant certificate trust databases including /etc/ipa/ca.crt.
That said, it should have happened automatically on the master where the CA was installed. I'll confirm; maybe there is a ticket to file here.
Thanks for the query/feedback.
Cheers, Fraser
On Tue, Mar 06, 2018 at 10:57:16AM +1000, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Mar 05, 2018 at 04:57:52PM -0000, John Seekins via FreeIPA-users wrote:
Manually installing the cert at /etc/ipa/ca.cert and restarting Apache fixes the error, but it seems like whenever a cert renewal happens, I'll have to manually update it again. Which seems brittle.
The ipa-certupdate(1) command will update all relevant certificate trust databases including /etc/ipa/ca.crt.
That said, it should have happened automatically on the master where the CA was installed. I'll confirm; maybe there is a ticket to file here.
Aha, this was fixed in v4.6.2.
Ticket: https://pagure.io/freeipa/issue/6577 Commit: cd4d9cc46d7d4b3bb9ed7a69976b0986b083abfa
Cheers, Fraser
Thanks for the query/feedback.
Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Alright. Thanks for looking in to it.
John Seekins via FreeIPA-users wrote:
On a RHEL 7 box, I installed the ipa-server package and set up a server without a CA successfully. Then I tried to manually add the CA functionality afterwards and, while the install appeared to work, the server can't properly access the dogtag instance through the proxy, which breaks a lot of functionality.
Logs here: https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
What am I doing wrong here?
What version of IPA is this? Are you trying to do a CA-less install and converting it to a CA-ful install?
rob
Rob, Fraser did answer my question, but... As the initial email topic notes, this is FreeIPA 4.5.0. And yes, I was trying to convert from CA-less to CA-full install. And Fraser found the exact problem I was running into.
On Tue, Mar 6, 2018 at 11:58 AM Rob Crittenden rcritten@redhat.com wrote:
John Seekins via FreeIPA-users wrote:
On a RHEL 7 box, I installed the ipa-server package and set up a server
without a CA successfully. Then I tried to manually add the CA functionality afterwards and, while the install appeared to work, the server can't properly access the dogtag instance through the proxy, which breaks a lot of functionality.
Logs here: https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
What am I doing wrong here?
What version of IPA is this? Are you trying to do a CA-less install and converting it to a CA-ful install?
rob
John Seekins wrote:
Rob, Fraser did answer my question, but... As the initial email topic notes, this is FreeIPA 4.5.0. And yes, I was trying to convert from CA-less to CA-full install. And Fraser found the exact problem I was running into.
Right, Fraser fixed this upstream in master to happen automatically.
I asked so I could check whether this had been backported so I was looking for the exact release you were using (e.g. [free]ipa-server-4.5-0.x.y.z).
Either way glad it's working now.
rob
On Tue, Mar 6, 2018 at 11:58 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
John Seekins via FreeIPA-users wrote: > On a RHEL 7 box, I installed the ipa-server package and set up a server without a CA successfully. Then I tried to manually add the CA functionality afterwards and, while the install appeared to work, the server can't properly access the dogtag instance through the proxy, which breaks a lot of functionality. > > Logs here: > https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d > > What am I doing wrong here? What version of IPA is this? Are you trying to do a CA-less install and converting it to a CA-ful install? rob
Oh. I'm sorry I mis-understood. [jseekins@ops-freeipa-ops-1 ~]$ sudo yum list ipa-server [sudo] password for jseekins: Loaded plugins: amazon-id, rhui-lb, search-disabled-repos Installed Packages ipa-server.x86_64 4.5.0-22.el7_4
@rhui-REGION-rhel-server-releases
On Tue, Mar 6, 2018 at 12:25 PM Rob Crittenden rcritten@redhat.com wrote:
John Seekins wrote:
Rob, Fraser did answer my question, but... As the initial email topic notes, this is FreeIPA 4.5.0. And yes, I was trying to convert from CA-less to CA-full install. And Fraser found the exact problem I was running into.
Right, Fraser fixed this upstream in master to happen automatically.
I asked so I could check whether this had been backported so I was looking for the exact release you were using (e.g. [free]ipa-server-4.5-0.x.y.z).
Either way glad it's working now.
rob
On Tue, Mar 6, 2018 at 11:58 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
John Seekins via FreeIPA-users wrote: > On a RHEL 7 box, I installed the ipa-server package and set up a server without a CA successfully. Then I tried to manually add the CA functionality afterwards and, while the install appeared to work, the server can't properly access the dogtag instance through the proxy, which breaks a lot of functionality. > > Logs here: >https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
> > What am I doing wrong here? What version of IPA is this? Are you trying to do a CA-less installand
converting it to a CA-ful install? rob
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
John Seekins -
Rob Crittenden