I’ve installed ipa. Originally I did the default install, without DNS.
I then updated to a commercial cert. Notes at the end.
I just did a yum update. isa-upgrade failed with the following error:
017-07-12T19:23:39Z DEBUG stderr=
2017-07-12T19:23:44Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-07-12T19:23:45Z DEBUG Starting external process
2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a
2017-07-12T19:23:45Z DEBUG Process finished, return code=255
2017-07-12T19:23:45Z DEBUG stdout=
2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that
there is no Server-Cert alias. Instead
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust
AB,C=SE C,,
CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey
City,ST=New Jersey,C=US C,,
CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,,
ipaCert u,u,u
CS.RUTGERS.EDU IPA CA CT,C,C
CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New
Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New
Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
Any idea how to fix this? Can I safely rename the last entry to be Server-Cert?
Can I safely run isa-server-upgrade again to make sure it works?
I have a replicate. Upgrade for it worked fine, but CA services aren’t
installed on it.
——————
upgrading to commercial cert:
When you set up IPA it will generate its own certificate. It will be used for
both ldap and http. A CA cert goes into /etc/ipa/ca.cert.
In the long run you want to use a commercial certificate. I got back from the
certificate people a key, a cert, and a CA chain. Installing them was a
hair-raising experience.
Note that on the backup, the intermediates are already there, because they're
copied from the primary. Hence you can go directly to ipa-server-certinstall.
This is probably true for renewal as well.
• Before you can install the actual cert, you need to install all the
CA certificates for the chain.
• Take apart the intermediate certificates. If you look at the file
you'll see it has 3 obvious sections.
• Use openssl x509 --in FILE --text to look at them
• Starting at the top level, install each one using
ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE
; PASSWORD is the admin password for the system.
; NICKNAME is a word you pick to identify the CA.
; FILE is the file with the data
• ipa-certupdate ; this actually updates the CA database with the new
certs
• ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files
with the key and the actual cert for this system
• systemctl restart httpd.service
This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like
NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of
New Jersey",STREET=43 College Avenue,STREET=\
Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US"
Unfortunately this is a syntax error. To fix it, add \ before the "'s inside
the string.
Make sure you can restart httpd.service cleanly. I do *not* recommend rebooting
the system until that's fixed.
Now
systemctl restart dirsrv@CS-RUTGERS-EDU.service
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
