> roy liang via FreeIPA-users wrote: > > Take below with a grain of salt. There be dragons. I did not try this > myself. > > What I'd suggest is you pick a different IPA server to start with. I > think this Ubuntu host is a lost cause. IIRC you have several > Fedora/CentOS/RHEL replicas as well. You want one without the CA on it. >
At present, Freeipa is all deployed on Ubuntu 16.04 by Zheng, which is left over by the company and cannot be changed.Now I cannot copy new nodes and upgrade because the certificate has expired. I have given up repairing the expired certificate, because I have tried too many times but failed.Now I have found a quick switching scheme, I don't know whether it is feasible, I hope you can guide it, thank you 1: I currently generate my self-signed certificate from this document https://mariadb.com/docs/security/data-in-transit-encryption/create-self-signed-certificates-keys-openssl/ 2: Switch the CA certificate installed by default # ipa-cacert-manage renew --external-ca --external-cert-file /root/new_ca/ca-cert.pem Importing the renewed CA certificate, please wait IPA CA certificate not found in /root/new_ca/ca-cert.pem The ipa-cacert-manage command failed. # iPA-cacert-manage renew --external-ca --external-cert-file /root/new_ca/ca-cert.pem --external-cert-file/ root/new_ca/ca - key. Pem Importing the renewed CA certificate, please wait Failed to load /root/new_ca/ca-key.pem The ipa-cacert-manage command failed. How to do this? I am blind now, can you guide the normal command to switch the CA?Thank you very much. Because according to the documentation here, it should be possible to switch https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-authority-component-in-freeipa/ I installed FreeIPA without any embedded CA but I change my mind? FreeIPA allows to install an embedded CA at a later time, using ipa-ca-install. The tool provides the same options as ipa-server-install: you can either install a self-signed CA or an externally signed CA. Important: installing an embedded CA with ipa-ca-install does not replace the HTTP and LDAP server certificates. If they were initially delivered by an external CA, they will not be automatically renewed. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
