Bonjour Florence, Thanks for your help. I am using the docker image `freeipa/freeipa-server:fedora-34-4.9.6`, I guess the dependencies are correct as this is all bundled in the container, (though there might exists config mismatched if ipa upgrades failed containers updates). Se-linux is disabled on host and in the container.
I made progress by fixing the missing instanceRoot parameter in the config file. Now I think I am stuck in a deadlock, because of letsencrypt certificates used for httpd/ldap (installed with ipa-cacert-manage) . The certificated managed by freeipa is expired, but the letsencrypt one have renewed and there is no overlap of their period of validity. - If I set back the date to when the freeipa certs are valid, pki connection to the ldap fails, as the letsencrypt one is not yet valid. error is `SEVERE: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired.` I think the message says expired for not-yet-valid certs too. - If I use the current time, it is not possible to start the pki-server as the certs are expired. ( at least that's my guess, error is :`netscape.ldap.LDAPException: Authentication failed (48)` not much more details) I was thinking about trying to: - set the date to when the freeipa managed certs were still valid. - manually generate a certificate/key from the CA (not sure how exactly, though) - copy these certificate and key in the httpd and ldap config folder at the right place. - try to spin-up the pki-tomcat, hoping that it works. - then hope that it auto-renews certs or manually trigger the renewal. - move the date back to today, maybe by increments that cover the certs validity, and trigger certs renewal at each increment. Would that make sense? Do you see any more sensible/simpler way? Many thanks! Basile -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
