Hi Rob,
I managed to install new certs on ipa server setting date back in
time;
now on the other two server I still get the error "Insufficient
access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor
code may provide more information (Credential cache is empty)" (ntpd
daemon stopped)
Getting it where? I assume you did a kinit after resetting time?
yes I did it; I've tried it many times, with a klist I saw there was a
ticket for the admin with a lease longer than the https certificate
expiring date but I got the same error;
Could it be useful to remove the other two nodes from topology (e.g.
with ipa-replica-manage re-initialize --from good-ipa-server)?
This only affects the IPA data, not the certificates used by those
servers so it wouldn't help.
yes I've tried it and realized this; at the end I did;
- ipa-server del (node1, node2)
- ipa server-install --uninstall (node1, node2)
- ipa-replica-install --principal admin --admin-password *** --server
node0 --domain domain --http-cert-file chain_cert_CA_privatekey.p12
--dirsrv-cert-file chain_cert_CA_privatekey.p12 --no-pkinit
(at the moment only on one node and it works with a A <-> B topology;
later I'll do the other node)
there is something which is still unclear to me (e.g. the ipa-certupdate
on node0 which didn't work with "ERROR: cannot connect to
'https://ipa-servnaz.cnaf.infn.it/ipa/session/json': Exceeded number of
tries to forward a request." and then after sometimes worked) but I'm
happy because the failover system is going to work again
thank you for your quick and useful answers and even for the
logging/debugging output which helped me in a moment of desperation :-)
thank you
regards
Stefano
Il 2022-07-29 15:27 Rob Crittenden ha scritto:
antonelli@cnaf wrote:
Hi Rob, Freeipas
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring
one of
the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
I guess make sure that your time daemon, if any, is stopped.
I managed to install new certs on ipa server setting date back in
time;
now on the other two server I still get the error "Insufficient
access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor
code may provide more information (Credential cache is empty)" (ntpd
daemon stopped)
Getting it where? I assume you did a kinit after resetting time?
Could it be useful to remove the other two nodes from topology (e.g.
with ipa-replica-manage re-initialize --from good-ipa-server)?
This only affects the IPA data, not the certificates used by those
servers so it wouldn't help.
rob
thank you
regards
Stefano
On 7/28/22 22:21, stefano.antonelli@cnaf via FreeIPA-users wrote:
Hi Rob
thank you for your answer
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
yes, now it's Comodo
I've tried ipa-server-certinstall too but I get "The full certificate
chain is not present in ../path/my.key, ../path/my.cer The
ipa-server-certinstall command failed."
Should I try to create a chain certificate/root_ca is there a
particular order e.g. root/other_ca/cert or cert/root/other_ca?
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring
one of
the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
I guess make sure that your time daemon, if any, is stopped.
perhaps I'll try again stopping ntpd
thank you
regards
Stefano
Il 2022-07-28 21:28 Rob Crittenden ha scritto:
stefano.antonelli@cnaf via FreeIPA-users wrote:
Dear All
we have a three nodes FreeIPA 4.6.8 installation with third part
certificate (https / dirsrv). This certificate has expired and when
I
try to follow the
ipa-cacert-manage install ...
ipa-certupdate I get the error: "cannot connect to
https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:618)"
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
I suppose that this is due to the fact that https connection is
blocked
for expired certificate which I can't renew.
Yep.
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring
one of
the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
I guess make sure that your time daemon, if any, is stopped.
I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with
new
cert/key but I don't know how
Theoretically possible but ipa-server-certinstall should handle it
for
you. Manual is prone to error.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
