I’ve installed ipa. Originally I did the default install, without DNS.

I then updated to a commercial cert. Notes at the end.

I just did a yum update. isa-upgrade failed with the following error:

017-07-12T19:23:39Z DEBUG stderr=
2017-07-12T19:23:44Z DEBUG Loading Index file from 
2017-07-12T19:23:45Z DEBUG Starting external process
2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d 
/etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a
2017-07-12T19:23:45Z DEBUG Process finished, return code=255
2017-07-12T19:23:45Z DEBUG stdout=
2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that 
there is no Server-Cert alias. Instead

Certificate Nickname                                         Trust Attributes

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust 
AB,C=SE C,,  
CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey 
City,ST=New Jersey,C=US C,,  
CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,,  
ipaCert                                                      u,u,u
CS.RUTGERS.EDU IPA CA                                        CT,C,C
CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New 
Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New 
Brunswick,ST=NJ,postalCode=08901,C=US u,u,u

Any idea how to fix this? Can I safely rename the last entry to be Server-Cert? 
Can I safely run isa-server-upgrade again to make sure it works?

I have a replicate. Upgrade for it worked fine, but CA services aren’t 
installed on it.

upgrading to commercial cert:

When you set up IPA it will generate its own certificate. It will be used for 
both ldap and http. A CA cert goes into /etc/ipa/ca.cert.
In the long run you want to use a commercial certificate. I got back from the 
certificate people a key, a cert, and a CA chain. Installing them was a 
hair-raising experience.
Note that on the backup, the intermediates are already there, because they're 
copied from the primary. Hence you can go directly to ipa-server-certinstall. 
This is probably true for renewal as well.
        • Before you can install the actual cert, you need to install all the 
CA certificates for the chain.
        • Take apart the intermediate certificates. If you look at the file 
you'll see it has 3 obvious sections.
        • Use openssl x509 --in FILE --text to look at them
        • Starting at the top level, install each one using
ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE
; PASSWORD is the admin password for the system. 
; NICKNAME is a word you pick to identify the CA. 
; FILE is the file with the data

        • ipa-certupdate  ; this actually updates the CA database with the new 
        • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files 
with the key and the actual cert for this system
        • systemctl restart httpd.service
This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like
NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of 
New Jersey",STREET=43 College Avenue,STREET=\
Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US"    

Unfortunately this is a syntax error. To fix it, add \ before the "'s inside 
the string.
Make sure you can restart httpd.service cleanly. I do *not* recommend rebooting 
the system until that's fixed.
systemctl restart dirsrv@CS-RUTGERS-EDU.service

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to