On Thu, Jul 13, 2017 at 03:02:02PM +0000, Charles Hedrick via FreeIPA-users wrote: > I’ve installed ipa. Originally I did the default install, without DNS. > > I then updated to a commercial cert. Notes at the end. > > I just did a yum update. isa-upgrade failed with the following error: > > 017-07-12T19:23:39Z DEBUG stderr= > 2017-07-12T19:23:44Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2017-07-12T19:23:45Z DEBUG Starting external process > 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d > /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a > 2017-07-12T19:23:45Z DEBUG Process finished, return code=255 > 2017-07-12T19:23:45Z DEBUG stdout= > 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert > : PR_FILE_NOT_FOUND_ERROR: File not found > > When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find > that there is no Server-Cert alias. Instead > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust > AB,C=SE C,, > CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey > City,ST=New Jersey,C=US C,, > CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, > ipaCert u,u,u > CS.RUTGERS.EDU IPA CA CT,C,C > CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New > Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New > Brunswick,ST=NJ,postalCode=08901,C=US u,u,u > > Any idea how to fix this? Can I safely rename the last entry to be > Server-Cert? Can I safely run isa-server-upgrade again to make > sure it works? > It does look like something in ipa-server-upgrade is looking for cert with nickname 'Server-Cert' and not finding it, causing the failure.
I don't think certutil offers a way to "rename" a certificate+key but you can certainly export it, delete it, then re-import it with the desired nickname. Then you will need to update 389DS to use the new nickname, and you should be good to go. Meanwhile, would you raise a ticket about ipa-server-upgrade looking for 'Server-Cert' while the actual server cert nickname may be different? Thanks, Fraser > I have a replicate. Upgrade for it worked fine, but CA services aren’t > installed on it. > > —————— > upgrading to commercial cert: > > When you set up IPA it will generate its own certificate. It will be used for > both ldap and http. A CA cert goes into /etc/ipa/ca.cert. > In the long run you want to use a commercial certificate. I got back from the > certificate people a key, a cert, and a CA chain. Installing them was a > hair-raising experience. > Note that on the backup, the intermediates are already there, because they're > copied from the primary. Hence you can go directly to ipa-server-certinstall. > This is probably true for renewal as well. > • Before you can install the actual cert, you need to install all the > CA certificates for the chain. > • Take apart the intermediate certificates. If you look at the file > you'll see it has 3 obvious sections. > • Use openssl x509 --in FILE --text to look at them > • Starting at the top level, install each one using > ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE > ; PASSWORD is the admin password for the system. > ; NICKNAME is a word you pick to identify the CA. > ; FILE is the file with the data > > • ipa-certupdate ; this actually updates the CA database with the new > certs > • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files > with the key and the actual cert for this system > • systemctl restart httpd.service > This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like > NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University > of New Jersey",STREET=43 College Avenue,STREET=\ > Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US" > > Unfortunately this is a syntax error. To fix it, add \ before the "'s inside > the string. > Make sure you can restart httpd.service cleanly. I do *not* recommend > rebooting the system until that's fixed. > Now > systemctl restart dirsrv@CS-RUTGERS-EDU.service > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
