Hi, On Wed, Mar 16, 2022 at 3:14 PM Eric Boisvert via FreeIPA-users < [email protected]> wrote:
> Sorry for the third reply in a row, > > A coworker was able to fix the > > GSSError: Major (851968): Unspecified GSS failure. Minor code may provide > more information, Minor (2529639122): Generic preauthentication failure > > by doing > > # kinit admin > # mv /etc/krb5.keytab /etc/krb5.keytab-BACKUP > # ipa-getkeytab -s freeipa.qc.lrtech.ca -p host/ > [email protected] -k /etc/krb5.keytab > > and I was able to fix > > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not trusted > by the user.) > > by manually adding my root CA to /etc/ipa/nssdb with the command > > # certutil -A -i -t CT,C,C -d /etc/ipa/nssdb -n "[email protected],CN=LR > Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=QC,C=CA" > > After that the ipa-certupdate command was successful, but those old > certificates that I talked about earlier came back and I add to manually > delete them. Again I had to modifie my root CA in the /etc/ipa/nssdb > because it lost is trusted attributes CT,C,C > if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem", the new root CA will be loaded in the LDAP server with the right trust flags. Then "ipa-certupdate" will download it from the LDAP server and put it into all the relevant NSS databases / files with the right trust flags. There is no real need to remove the old CA certs, even if they expired. But if you really want to clean up things, you need to remove them from the LDAP server. They are located in cn=certificates,cn=ipa,cn=etc,$BASEDN and you will need to find the right LDAP entry/entries and delete them with ldapdelete. > Then I was able to resubmit my client certificate to FreeIPA. Hooray!!! > > > Am I suppose to do all that manual work? > Does it exist an IPA command to remove those annoying certificates and > save my root CA trusted state? > > My client can now communicate with my FreeIPA, but he's still giving me my > old certificate when I access is URL in Firefox or Chrome. > Should I manually add my root CA to another database? > Which "old certificate" are you referring to? Are you accessing IPA at https://<hostname>/ipa/ui or accessing a service deployed on your client and protected by the client certificate? flo > > /etc/ipa/nssdb - root CA is present > /etc/httpd/alias - Not here > /etc/httpd/nssdb - Not here > > Eric > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
