Red Hat Bugzilla – Bug 1256037
[Documentation bug]: Possible missing step in CA cert renewal instructions
Last modified: 2016-05-11 03:08:26 EDT
Following the instructions in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html to renew an external CA certificate, the old cert was left in /etc/httpd/alias/cacert.asc . This subsequently lead to issues because ipa-replica-prepare uses that file.
Step 6 in the above guide should add the following command:
ln -sf /usr/share/ipa/html/ca.crt /etc/httpd/alias/cacert.asc
This is indeed a bug in the guide. The "Update the CA certificate in the file system" step in the "Install the new CA certificate on your first-installed IdM server", "Install the new CA certificate on other IdM servers with a CA" and "Install the new CA certificate on other IdM masters without a CA" chapters in the guide should be changed to:
Update the CA certificate in the file system:
# cp /root/ipa.crt /etc/ipa/ca.crt
# cat /root/ipa.crt /root/external-ca.pem >/etc/httpd/alias/cacert.asc
# cp /etc/httpd/alias/cacert.asc /usr/share/ipa/html/ca.crt
Changing the component to doc-Identity_Management_Guide.
I updated the commands in all three steps.