Bonjour Florence, Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit :
The error is an LDAP error when adding an entry/attribute for the CA. Can you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen either on a ADD or on a MOD operation.
here are the errors
[09/Oct/2023:16:53:29.778822109 +0200] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend ipaca, attempting to create one... [09/Oct/2023:16:53:29.792922239 +0200] - ERR - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one... [09/Oct/2023:16:53:29.830898826 +0200] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend ipaca is coming online; checking domain level and init shared topology [09/Oct/2023:16:53:29.852943744 +0200] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=lix,dc=polytechnique,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [09/Oct/2023:16:54:39.861546593 +0200] - ERR - ldbm_back_ldbm2index - ldbm: 'ipaca' is already in the middle of another task and cannot be disturbed. [09/Oct/2023:16:54:39.867443983 +0200] - ERR - task_index_thread - Index failed (error -1)
It would also help if you can provide a description of your current certificate chain (the subject of the Root CA, if relevant the intermediate ones) or share your /etc/ipa/ca.crt file.
please find enclosed the ca.crt file. I you need more informations like the subject of the Root CA, I will need the commands :-(
You didn't clarify so far whether IPA was installed CA-less or with an embedded CA that was externally-signed. If you still have access to the first server that was installed, you can have a look at /var/log/ipaserver-install.log and check the options that were provided.
I think I was using an embedded CA that was externally-signed.I get pem and key files, with them I create a pk12 file used with ipa-replica-prepare on another replica to generate the replica-info-ipa3.lix.polytechnique.fr.gpg file used for the ipa-replica-install
flo
Thank you for your help Regards, Frederic
ca.crt
Description: application/pkix-cert
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
