Hi, On Tue, Oct 17, 2023 at 5:47 PM Frederic Ayrault <[email protected]> wrote:
> > Le 17/10/2023 à 17:23, Rob Crittenden a écrit : > > So if I've followed this thread correctly, what you're doing is: > > - Taking replica ipa3? and forcibly disconnecting it from an existing > > IPA installation > > This is just because my IPA is in production so I removed ipa3 for the > tests > > > - Trying to install a CA on it > > that's right > > > Where does ipa4 come in? It's a replica if ipa3? > > yes ipa4 is a replica of ipa3 and I used it for the ipa-replica-install > to reinstall ipa3 > > I was not able to remove ipa3 from ipa2 (a production replica) > > this is another "creative" procedure > > >> And when try to start it manually ( systemctl start > >> [email protected] ), I get errors > >>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with > >>> path [/ca] threw exception > >>> java.io.IOException: CS server is not ready to serve. > > You need to lookin /var/log/pki/pki-tomcat/ca/debug<perhaps-date> > > I will check that > > > > > You need to find in that log the last time the CA started and work down > > from there to find an error, or errors. The usual bottom-up approach > > won't work because the CA is persistent in trying to start and will > > often move past errors that may be transient. > > > >> certutil -d /etc/pki/pki-tomcat/alias/ -L > >> > >> Certificate Nickname Trust Attributes > >> SSL,S/MIME,JAR/XPI > >> > >> auditSigningCert cert-pki-ca u,u,Pu > >> Server-Cert cert-pki-ca u,u,u > >> CNRS2-Standard - CNRS C,, > >> LIX.POLYTECHNIQUE.FR IPA CA CT,C,C > >> ocspSigningCert cert-pki-ca u,u,u > >> subsystemCert cert-pki-ca u,u,u > >> CNRS2 - CNRS ,, > >> > >> I tried to remove CNRS certs but then ipa-ca-install fails ( IndexError: > >> list index out of range ) > > I presume they are necessary because your existing HTTP and LDAP > > certificates are essentially externally signed. So this is expected. > > Well, maybe not a traceback. > > I would like to delete CNRS2 certs, but ipa-ca-install does not work > and I remove them after ipa-ca-install ipactl restart does work > CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP and LDAP server certificates, they should not be removed. When you install a new embedded IPA CA, it doesn't replace the existing HTTP and LDAP server certificates with new ones issued by IPA CA. You will be able to remove CNRS2 and CNRS2-standard (IF you don't use any other cert issued by them) only when the HTTP and LDAP server certs are replaced with new ones issued by IPA CA (which is a manual operation). flo > > rob > > > > Thank you > > Frederic >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
