Hi Rob, Freeipas
>>> Is there a way to bypass this?
>>
>> Go back in time as you tried.
>>
>>> I've tried to set a date on the server previous than the expiring
one of
>>> the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
>>
>> I guess make sure that your time daemon, if any, is stopped.
I managed to install new certs on ipa server setting date back in time;
now on the other two server I still get the error "Insufficient access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Credential cache is empty)" (ntpd
daemon stopped)
Could it be useful to remove the other two nodes from topology (e.g.
with ipa-replica-manage re-initialize --from good-ipa-server)?
thank you
regards
Stefano
On 7/28/22 22:21, stefano.antonelli@cnaf via FreeIPA-users wrote:
Hi Rob
thank you for your answer
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
yes, now it's Comodo
I've tried ipa-server-certinstall too but I get "The full certificate
chain is not present in ../path/my.key, ../path/my.cer The
ipa-server-certinstall command failed."
Should I try to create a chain certificate/root_ca is there a particular
order e.g. root/other_ca/cert or cert/root/other_ca?
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring one of
the cert, but I get an SASL/GSSAPI error (even if I renew admin ticket).
I guess make sure that your time daemon, if any, is stopped.
perhaps I'll try again stopping ntpd
thank you
regards
Stefano
Il 2022-07-28 21:28 Rob Crittenden ha scritto:
stefano.antonelli@cnaf via FreeIPA-users wrote:
Dear All
we have a three nodes FreeIPA 4.6.8 installation with third part
certificate (https / dirsrv). This certificate has expired and when I
try to follow the
ipa-cacert-manage install ...
ipa-certupdate I get the error: "cannot connect to
https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:618)"
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
I suppose that this is due to the fact that https connection is blocked
for expired certificate which I can't renew.
Yep.
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring one of
the cert, but I get an SASL/GSSAPI error (even if I renew admin ticket).
I guess make sure that your time daemon, if any, is stopped.
I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with new
cert/key but I don't know how
Theoretically possible but ipa-server-certinstall should handle it for
you. Manual is prone to error.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
