Bumping this for help. I need to renew my replica's SSL certificate which
will expire in a month, but I can't find any instructions. It looks like
the replica's web-ui cert isn't tracked by the master or the replica. I'm
using a pretty stock installation with no external CAs or certs. So
ideally, all of this should have been handled automatically by ipa, but it
isn't. There have also been quite a few cert related posts of late which
makes me think if there are (were) some other issues with replica setup a
couple of years ago, which is when the certs were originally generated.

On Mon, May 1, 2017 at 5:39 AM, Prasun Gera <prasun.g...@gmail.com> wrote:

> Any ideas why the replica's certs are not being tracked ? That looks like
> an issue in itself. If they are not being tracked, the replica will fail
> once they expire. Is there any way to fix the replica ?
>
> On Sun, Apr 23, 2017 at 10:08 PM, Prasun Gera <prasun.g...@gmail.com>
> wrote:
>
>> I tried that, but the replica's "getcert list" doesn't seem to show any
>> results. "Number of certificates and requests being tracked: 0." Is that
>> expected ?
>>
>> On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale <ftwee...@redhat.com>
>> wrote:
>>
>>> On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote:
>>> > Thank you. That worked for the master. How do I fix the replica's cert
>>> ?
>>> > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using
>>> > ipa's DNS at all. Did this happen because of that ?
>>> >
>>> This is not related to DNS.
>>>
>>> To fix the replica, log onto the host and perform the same steps
>>> with Certmonger there.  The tracking Request ID will be different
>>> but otherwise the process is the same.
>>>
>>> Cheers,
>>> Fraser
>>>
>>> > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale <ftwee...@redhat.com>
>>> > wrote:
>>> >
>>> > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote:
>>> > > > I can confirm that I see this behaviour too. My ipa server install
>>> is a
>>> > > > pretty stock install with no 3rd party certificates.
>>> > > >
>>> > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
>>> > > > simon.willi...@thehelpfulcat.com> wrote:
>>> > > >
>>> > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated
>>> to
>>> > > > > version 58.0.3029.81.  It appears that this version of Chrome
>>> will not
>>> > > > > trust certificates based on Common Name.  Looking at the Chrome
>>> > > > > documentation and borne out by one of the messages, from Chrome
>>> 58,
>>> > > > > the subjectAltName is required to identify the DNS name of the
>>> host
>>> > > that
>>> > > > > the certificate is issued for.  I would be grateful if someone
>>> could
>>> > > point
>>> > > > > me in the direction of how to recreate my SSL certificates so
>>> that
>>> > > > > the subjectAltName is populated.
>>> > > > >
>>> > > > > Thanks in advance
>>> > > > >
>>> > > > > --
>>> > > > > Manage your subscription for the Freeipa-users mailing list:
>>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > > > Go to http://freeipa.org for more info on the project
>>> > > > >
>>> > > Which version of IPA are you using?
>>> > >
>>> > > The first thing you should do, which I think should be sufficient in
>>> > > most cases, is to tell certmonger to submit a new cert request for
>>> > > each affected certificate, instructing to include the relevant
>>> > > DNSName in the subjectAltName extension in the CSR.
>>> > >
>>> > > To list certmonger tracking requests and look for the HTTPS
>>> > > certificate.  For example:
>>> > >
>>> > >     $ getcert list
>>> > >     Number of certificate and requests being tracked: 11
>>> > >     ...
>>> > >     Request ID '20170418012901':
>>> > >             status: MONITORING
>>> > >             stuck: no
>>> > >             key pair storage: type=NSSDB,location='/etc/
>>> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate
>>> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > >             certificate: type=NSSDB,location='/etc/
>>> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>> > >             CA: IPA
>>> > >             issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317
>>> > >             subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317
>>> > >             expires: 2019-03-22 03:20:19 UTC
>>> > >             dns: f25-2.ipa.local
>>> > >             key usage: digitalSignature,nonRepudiatio
>>> n,keyEncipherment,
>>> > > dataEncipherment
>>> > >             eku: id-kp-serverAuth,id-kp-clientAuth
>>> > >             pre-save command:
>>> > >             post-save command: /usr/libexec/ipa/certmonger/re
>>> start_httpd
>>> > >             track: yes
>>> > >             auto-renew: yes
>>> > >     ...
>>> > >
>>> > > Using the Request ID of the HTTPS certificate, resubmit the request
>>> > > but use the ``-D <hostname>`` option to specify a DNSName to include
>>> > > in the SAN extension:
>>> > >
>>> > >   $ getcert resubmit -i <Request ID> -D <hostname>
>>> > >
>>> > > ``-D <hostname>`` can be specified multiple times, if necessary.
>>> > >
>>> > > This should request a new certificate that will have the server DNS
>>> > > name in the SAN extension.
>>> > >
>>> > > HTH,
>>> > > Fraser
>>> > >
>>>
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to