Bret Wortman
2017-04-25 18:52:17 UTC
I recently had to upgrade all my Fedora IPA servers to C7. It went well,
and we've been up and running nicely on 4.4.0 on C7 for the past month
or so.
Today, someone came and asked me to generate a new certificate for their
web server. All was good until I went to the IPA UI and tried to perform
Actions->New Certificate, which did nothing. I tried each of our 3
servers in turn. All came back with no popup window and no error, either.
I suspect the problem might be that we no longer have a CA server due to
the method I used to upgrade the servers. I likely missed a "--setup-ca"
in there somewhere, so my rolling update rolled over the CA.
What's my best hope of recovery? I never ran this before, so I'm not
sure if this shows that I'm missing a CA or not:
# ipa ca-find
------------
1 CA matched
------------
Name: ipa
Description IPA CA
Authority ID: 3ce3346[...]
Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
----------------------------
Number of entries returned 1
----------------------------
# ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
O=DAMASCUSGRP.COM"
ipa: ERROR: Failed to authenticate to CA REST API
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ***@DAMASCUSGRP.COM
Valid starting Expires Service principal
04/25/2017 18:48:26 04/26/2017 18:48:21
krbtgt/***@DAMASCUSGRP.COM
#
What's my best path of recovery?
and we've been up and running nicely on 4.4.0 on C7 for the past month
or so.
Today, someone came and asked me to generate a new certificate for their
web server. All was good until I went to the IPA UI and tried to perform
Actions->New Certificate, which did nothing. I tried each of our 3
servers in turn. All came back with no popup window and no error, either.
I suspect the problem might be that we no longer have a CA server due to
the method I used to upgrade the servers. I likely missed a "--setup-ca"
in there somewhere, so my rolling update rolled over the CA.
What's my best hope of recovery? I never ran this before, so I'm not
sure if this shows that I'm missing a CA or not:
# ipa ca-find
------------
1 CA matched
------------
Name: ipa
Description IPA CA
Authority ID: 3ce3346[...]
Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
----------------------------
Number of entries returned 1
----------------------------
# ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
O=DAMASCUSGRP.COM"
ipa: ERROR: Failed to authenticate to CA REST API
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ***@DAMASCUSGRP.COM
Valid starting Expires Service principal
04/25/2017 18:48:26 04/26/2017 18:48:21
krbtgt/***@DAMASCUSGRP.COM
#
What's my best path of recovery?
--
*Bret Wortman*
The Damascus Group
*Bret Wortman*
The Damascus Group