Undefined As a system administrator, I would like a command to retrieve CA certificates from a working IPA server, so I don't need to manually installing CA certificates.
So far, ipa-certupdate queries the CA using https like:
# ipa-certupdate -v ... ipalib.rpc: DEBUG: trying https://server0.example.com/ipa/json ipalib.rpc: DEBUG: New HTTP connection (server0.example.com) ... ipalib.rpc: DEBUG: [try 1]: Forwarding 'ca_find/1' to json server 'https://server0.example.com/ipa/session/json'
However, when local CA certificates expired, the validation failed
Connection to https://server0.example.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) Connection to https://server1.example.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
Thus we need a command or ipa-certupdate option to retrieve the CA certificates similar to
~~~
kinit -k
ldapsearch -Y gssapi -H ldap://server0.example.com -b cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
~~~
- links to
