On Thu, Jul 13, 2017 at 03:02:02PM +0000, Charles Hedrick via FreeIPA-users
> I’ve installed ipa. Originally I did the default install, without DNS.
> I then updated to a commercial cert. Notes at the end.
> I just did a yum update. isa-upgrade failed with the following error:
> 017-07-12T19:23:39Z DEBUG stderr=
> 2017-07-12T19:23:44Z DEBUG Loading Index file from
> 2017-07-12T19:23:45Z DEBUG Starting external process
> 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a
> 2017-07-12T19:23:45Z DEBUG Process finished, return code=255
> 2017-07-12T19:23:45Z DEBUG stdout=
> 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert
> : PR_FILE_NOT_FOUND_ERROR: File not found
> When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find
> that there is no Server-Cert alias. Instead
> Certificate Nickname Trust Attributes
> CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust
> AB,C=SE C,,
> CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey
> City,ST=New Jersey,C=US C,,
> CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,,
> ipaCert u,u,u
> CS.RUTGERS.EDU IPA CA CT,C,C
> CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New
> Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New
> Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
> Any idea how to fix this? Can I safely rename the last entry to be
> Server-Cert? Can I safely run isa-server-upgrade again to make
> sure it works?
It does look like something in ipa-server-upgrade is looking for
cert with nickname 'Server-Cert' and not finding it, causing the
I don't think certutil offers a way to "rename" a certificate+key
but you can certainly export it, delete it, then re-import it with
the desired nickname. Then you will need to update 389DS to use the
new nickname, and you should be good to go.
Meanwhile, would you raise a ticket about ipa-server-upgrade looking
for 'Server-Cert' while the actual server cert nickname may be
> I have a replicate. Upgrade for it worked fine, but CA services aren’t
> installed on it.
> upgrading to commercial cert:
> When you set up IPA it will generate its own certificate. It will be used for
> both ldap and http. A CA cert goes into /etc/ipa/ca.cert.
> In the long run you want to use a commercial certificate. I got back from the
> certificate people a key, a cert, and a CA chain. Installing them was a
> hair-raising experience.
> Note that on the backup, the intermediates are already there, because they're
> copied from the primary. Hence you can go directly to ipa-server-certinstall.
> This is probably true for renewal as well.
> • Before you can install the actual cert, you need to install all the
> CA certificates for the chain.
> • Take apart the intermediate certificates. If you look at the file
> you'll see it has 3 obvious sections.
> • Use openssl x509 --in FILE --text to look at them
> • Starting at the top level, install each one using
> ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE
> ; PASSWORD is the admin password for the system.
> ; NICKNAME is a word you pick to identify the CA.
> ; FILE is the file with the data
> • ipa-certupdate ; this actually updates the CA database with the new
> • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files
> with the key and the actual cert for this system
> • systemctl restart httpd.service
> This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like
> NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University
> of New Jersey",STREET=43 College Avenue,STREET=\
> Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US"
> Unfortunately this is a syntax error. To fix it, add \ before the "'s inside
> the string.
> Make sure you can restart httpd.service cleanly. I do *not* recommend
> rebooting the system until that's fixed.
> systemctl restart dirsrv@CS-RUTGERS-EDU.service
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org