I’ve installed ipa. Originally I did the default install, without DNS. I then updated to a commercial cert. Notes at the end.
I just did a yum update. isa-upgrade failed with the following error: 017-07-12T19:23:39Z DEBUG stderr= 2017-07-12T19:23:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-07-12T19:23:45Z DEBUG Starting external process 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a 2017-07-12T19:23:45Z DEBUG Process finished, return code=255 2017-07-12T19:23:45Z DEBUG stdout= 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that there is no Server-Cert alias. Instead Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US C,, CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, ipaCert u,u,u CS.RUTGERS.EDU IPA CA CT,C,C CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US u,u,u Any idea how to fix this? Can I safely rename the last entry to be Server-Cert? Can I safely run isa-server-upgrade again to make sure it works? I have a replicate. Upgrade for it worked fine, but CA services aren’t installed on it. —————— upgrading to commercial cert: When you set up IPA it will generate its own certificate. It will be used for both ldap and http. A CA cert goes into /etc/ipa/ca.cert. In the long run you want to use a commercial certificate. I got back from the certificate people a key, a cert, and a CA chain. Installing them was a hair-raising experience. Note that on the backup, the intermediates are already there, because they're copied from the primary. Hence you can go directly to ipa-server-certinstall. This is probably true for renewal as well. • Before you can install the actual cert, you need to install all the CA certificates for the chain. • Take apart the intermediate certificates. If you look at the file you'll see it has 3 obvious sections. • Use openssl x509 --in FILE --text to look at them • Starting at the top level, install each one using ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE ; PASSWORD is the admin password for the system. ; NICKNAME is a word you pick to identify the CA. ; FILE is the file with the data • ipa-certupdate ; this actually updates the CA database with the new certs • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files with the key and the actual cert for this system • systemctl restart httpd.service This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=\ Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US" Unfortunately this is a syntax error. To fix it, add \ before the "'s inside the string. Make sure you can restart httpd.service cleanly. I do *not* recommend rebooting the system until that's fixed. Now systemctl restart dirsrv@CS-RUTGERS-EDU.service _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org