On 12-07-2021 21:51, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Hi Flo,

Do you have a hint how I can get to the point where I can execute
the pki securitydomain-host-del command? All examples [2] on the Internet
are from the time when there was a /root/ca-agent.p12 and ipaCert.
I think that has been migrated to /var/lib/ipa/ra-agent.{key,pem} [1].

Maybe you are going to say that I shouldn't need that pki command. But I
have two deleted masters in the pki database. Using
pki securitydomain-host-del seems the only way to get rid of them. If you
have a better suggestion then please let me know.

[1] https://www.freeipa.org/page/Releases/4.8.1
[2] https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup
The CA agent is something different and not used by IPA at all. If your
installation is > 2 years old it is expired anyway.

The dogtag documentation is woefully out-of-date in this regard
unfortunately (and yes, I realize I also live in a glass house regarding
wikis).

You don't need to import anything, the entries you need are already
there. Try:

# pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C
/etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA
ipa.example.test 443'

Thanks Rob,

That did it.

I'm now almost there to get a clean outcome of ipa-healthcheck.
It reports no errors anymore, but ... there is one healthcheck that
wants a password. I have no idea what or why.

[root@linge ~]# /usr/bin/ipa-healthcheck --source 
pki.server.healthcheck.clones.connectivity_and_data
keyctl_search: Required key not available
Enter password for Internal Key Storage Token:
[]

-- Kees

rob

-- Kees

On 12-07-2021 15:01, Kees Bakker via FreeIPA-users wrote:
It is now time for me to try and follow the suggested pki commands.
However, I don't have a /root/ca-agent.p12

There is quite a bit of documentation on the Internet, but it might
not all be
up-to-date.

Here [1] the file /root/ca-agent.p12 is mentioned under "PKI Admin
Certificate".

"PKI admin certificate is stored in several locations:

     /root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).
     /root/.dogtag/pki-tomcat/ca_admin.cert
     /root/.dogtag/pki-tomcat/ca_admin.cert.der
     /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to
/root/ca-agent.p12)
"

I don't have any of them. Then [1] continues with

"PKI Agent Certificate

PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:

     ipaCert (CN=IPA RA)

For IPA Password Vault the certificate is exported and cached into
/etc/httpd/alias/kra-agent.pem since python-requests does not support
NSS. The cache is invalidated if the KRA authentication fails.
IPA Certificates

IPA certificates are stored in /etc/httpd/alias:

     <REALM> IPA CA (CN=Certificate Authority)
     <External CA DN>
     ipa-ca-agent (CN=ipa-ca-agent)
     ipaCert (CN=IPA RA)
     Signing-Cert (CN=Object Signing Cert)
"

But all I have in /etc/httpd/alias is a file ipasession.key

I'm confused.

[1] https://www.dogtagpki.org/wiki/IPA_Certificates
-- Kees

On 14-06-2021 16:39, github--- via FreeIPA-users wrote:
On 29-05-2021 10:21, Alexander Bokovoy wrote:
But I did use "ipa-csreplica-manage del" as well. However, I
remember that it
complained it couldn't remove that host. I was assuming it was
already gone.
When I list with ipa-csreplica-manage then I don't see the old hosts
anymore.
Its worth noting my install (4.9.3) on Fedora `ipa-csreplica-manage
del` just prints a deprecated message and doesn't seem to do anything.

So, two things
1) "ipa-csreplica-manage del" somehow failed (it's probably too late
to look
at logs)
2) how can I still remove the old hosts?
I have/had the same problem.  I used
https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me auth
into the CA to remove the dead host.

      pki client-cert-import --pkcs12  /root/ca-agent.p12
--pkcs12-password [redact]
      pki -n ipa-ca-agent  securitydomain-host-find
      # you need the full Host ID section to remove
      pki -n ipa-ca-agent  securitydomain-host-del "CA
freeipa2[redact].net 443"

Keep in mind I'm fairly new to IPA, so maybe you don't want to do
this on a production system without someone else more experienced
chiming in.  But, so far, the health check stopped complaining,
replication is fine, and all my users can still log in.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to