Hi, On Thu, Nov 17, 2022 at 7:59 PM Sean McLennan via FreeIPA-users < [email protected]> wrote:
> > > ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 > but > > it definitely looks wrong, unless IPA was installed with custom (and > > puzzlin) options: subject CN=localhost. > > > > How was IPA installed? The default settings would install a self-signed > CA > > with subject CN=Certificate Authority,O=IPA.TEST for instance. > > What is the content of /etc/ipa/ca.crt? You should see the original IPA > CA > > in this file. > > Yeah, I just used 'ipa-server-install' and as much default as possible. > Definitely wasn't trying anything fancy. I do still have the original > install log (and my entire command history) if there's something worth > looking for in there. > > /etc/ipa/ca.crt is just "-----BEGIN CERTIFICATE-----[text]-----END > CERTIFICATE-----"; should there be something more informative in there? > You can compare the CA cert that is stored in this file and the one that is stored in the /etc/pki/pki-tomcat/alias database. To compare the PEM content: # cat /etc/ipa/ca.crt # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -a You should see the same content. Or if you want to see the certificate details: # openssl x509 -noout -text -in /etc/ipa/ca.crt # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' You should see the same values (subject, issuers, validity, serial number...) I'm asking you to compare because it's unexpected to see a subject CN=localhost for the IPA CA. Someone has probably messed up with some commands and replaced the original IPA CA with a wrong one in the /etc/pki/pki-tomcat/alias database. If that's the case, we can put the right CA back with certutil commands but we need to be sure what to put there. flo > > Any thoughts on what I can try to renew these? > > As an aside: Honestly, I would love nothing more than to get IPA off of > this damn server and onto one that is actually supported and can, you know, > but updated. :[ My impression is that the only way I can do that though is > through replicating it to another instance and promoting the new > one/retiring the old one... but like I said, I have tried many times to add > another and have been unsuccessful. Is there a way to restore the data from > a backup into a new install? > > PS. Thank you for replying; I appreciate the help. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
