Sam Morris via FreeIPA-users wrote: > On 16/07/2025 23:36, Ty zang via FreeIPA-users wrote: >> Hey all, >> >> I am troubleshooting an authentication issue with my clients that >> happened after a mass PKI cert expiration on my third party CA (root, >> issuer, and a ton of others). When I authenticate on a client to IPA, >> it sends my request to the RADIUS server (RSA Auth Mgr) and prompts >> for first token and second token. Once I enter those, it lets me in >> (SSH). But for xRDP, it keeps failing and the only log I have on RSA >> is "bad tokencode but good PIN". I do see an error code 7 in one of >> the logs (was it secure log?). >> >> So that is how I got to where I am. I looked at /etc/krb5.conf and it >> points to two files: >> /var/lib/ipa-client/pki/ca-bundle >> /var/lib/ipa-client/pki/kdc-ca-bundle >> >> When I look at the certs in these files, I do see the expired root and >> issuer (and a valid IPA certificate authority cert). What is the >> proper way to update these two third party certs in these files on the >> ipa clients? Should I use keytool/openssl to rip the old ones out and >> import the new PEM files? I believe I already dropped these two certs >> under /etc/pki/ca-trust/source/anchors/ and ran "update-ca-trust" but >> these files seem remain invalid. >> >> Just looking for the proper way, so appreciate the help! > > Have you tried ipa-certupdate? >
Yes, Sam is correct. What you need to do is load the updated chain into IPA using ipa-cacert-manage install and then run ipa-certupdate on all machines to pull down the updated chain. Note that there could be chicken and egg issue if the chain necessary to trust the IPA server certificate to retrieve the new chain are already not present on the client. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
