[Freeipa-users] Re: backup / restore

[Frederic Ayrault via FreeIPA-users]

Bonjour,

Le 16/10/2023 à 21:13, Frederic Ayrault a écrit :
Bonsoir,

Le 13/10/2023 à 22:20, Rob Crittenden via FreeIPA-users a écrit :
Frederic Ayrault via FreeIPA-users wrote:

Done configuring certificate server (pki-tomcatd).
ipaclient.install.ipa_certupdate: ERROR    failed to update
LIX.POLYTECHNIQUE.FR IPA CA in /etc/httpd/alias: Command
'/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n LIX.POLYTECHNIQUE.FR
IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero
exit status 255
I'd recommend you try this command manually to see what the whole error
is. You'll need to quote the nickname 'LIX....'


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Resubmitting certmonger request '20231013171553' timed out, please
check the request manually
ipa-certupdate give similar errorr

Running it manually should give more details why it failed.




rob


I got a lot of errors
Oct 16 14:14:46 ipa3.lix.polytechnique.fr krb5kdc[1932](info): 
TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 193.55.176.91: 
LOOKING_UP_SERVER: authtime 0, 
ldap/ipa3.lix.polytechnique...@lix.polytechnique.fr for 
ldap/ipa2.lix.polytechnique...@lix.polytechnique.fr, Server not found 
in Kerberos database

ipa2 was the server used for ipa-replica-prepare, the is now only ipa3 
in the ipa-replica-manage list and ipa3 is not in
any other ipa-replica-manage list

I have delete 
cn=sig/ipa2.lix.polytechnique.fr,cn=custodia,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr
and 
cn=enc/ipa2.lix.polytechnique.fr,cn=custodia,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr 
from the ldap base
(I can not find any ipa2)

Regards,

Frederic

I create replication between 2 servers ipa3 and ipa4, ipa-ca-install 
works, I can now see pki-tomcatd Service
when I run ipactl status but it is STOPPED

And when try to start it manually ( systemctl start 
pki-tomcatd@pki-tomcat.service ), I get errors
SEVERE: Servlet.service() for servlet [caGetStatus] in context with 
path [/ca] threw exception
java.io.IOException: CS server is not ready to serve.

certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
CNRS2-Standard - CNRS                                        C,,
LIX.POLYTECHNIQUE.FR IPA CA                                  CT,C,C
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
CNRS2 - CNRS                                                 ,,

I tried to remove CNRS certs but then ipa-ca-install fails ( IndexError: 
list index out of range )

Thank you

Regards,

Frederic
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue