roy liang via FreeIPA-users wrote: >> roy liang via FreeIPA-users wrote: >> >> Take below with a grain of salt. There be dragons. I did not try this >> myself. >> >> What I'd suggest is you pick a different IPA server to start with. I >> think this Ubuntu host is a lost cause. IIRC you have several >> Fedora/CentOS/RHEL replicas as well. You want one without the CA on it. >> > > At present, Freeipa is all deployed on Ubuntu 16.04 by Zheng, which is left > over by the company and cannot be changed.Now I cannot copy new nodes and > upgrade because the certificate has expired. I have given up repairing the > expired certificate, because I have tried too many times but failed.Now I > have found a quick switching scheme, I don't know whether it is feasible, I > hope you can guide it, thank you > 1: > I currently generate my self-signed certificate from this document > https://mariadb.com/docs/security/data-in-transit-encryption/create-self-signed-certificates-keys-openssl/ > 2: > Switch the CA certificate installed by default > # ipa-cacert-manage renew --external-ca --external-cert-file > /root/new_ca/ca-cert.pem > Importing the renewed CA certificate, please wait > IPA CA certificate not found in /root/new_ca/ca-cert.pem > The ipa-cacert-manage command failed. > # iPA-cacert-manage renew --external-ca --external-cert-file > /root/new_ca/ca-cert.pem --external-cert-file/ root/new_ca/ca - key. Pem > Importing the renewed CA certificate, please wait > Failed to load /root/new_ca/ca-key.pem > The ipa-cacert-manage command failed. > > How to do this? I am blind now, can you guide the normal command to switch > the CA?Thank you very much. > Because according to the documentation here, it should be possible to switch > https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-authority-component-in-freeipa/ > I installed FreeIPA without any embedded CA but I change my mind? > FreeIPA allows to install an embedded CA at a later time, using > ipa-ca-install. The tool provides the same options as ipa-server-install: you > can either install a self-signed CA or an externally signed CA. > Important: installing an embedded CA with ipa-ca-install does not replace the > HTTP and LDAP server certificates. If they were initially delivered by an > external CA, they will not be automatically renewed.
This would replace the CA certificate chain which is not the problem. The problem is all the other certificates have expired. ipa-cacert-manage is a dead end while the current CA is non-functional. I'd also urge you to give up on the mariadb page. It generates a non-compliant CA which is probably why IPA is rejecting it. If you insist on a manual CA then there are better ways to do it. Even if you had one you'd still be stuck because your current CA is dead. Without fixing your current CA the options forward are full of manual steps that are not well, or at all, tested. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
