On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote:
Hello everyone,

I'm running FreeIPA 4.4 (as shipped with current CentOS 7).  I had a series of 
unfortunate events which resulted in the entire cluster being offline for a 
matter of a couple weeks during which the certificate in /etc/httpd/alias 
expired.  I rolled back the clocks on all of the servers in the cluster and 
started them successfully, however, the certificates in /etc/httpd/alias did 
not get renewed.  Is there a process that automatically handles this or was I 
supposed to be maintaining that?

Additionally, based on:

https://www.freeipa.org/page/Howto/CA_Certificate_Renewal

...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger renewals 
across the boards, but now it appears that only the CA was updated as none of the server 
certificates were re-issued and are now all untrusted (I can't do "kinit admin" any 
longer as my realm is now down).  Is there any chance of rolling that back or issuing new certs to 
get things going again?

Hi,

ipa-cacert-manage will only renew IPA CA certificate, not the LDAP or HTTP server certificates. When IPA is using an embedded CA, the LDAP and HTTP server certificates should be automatically renewed thanks to certmonger. If the automatic renewal did not happen, you can check:
- if the certificates are indeed tracked by certmonger
  sudo getcert list -n Server-Cert
The tool should output one cert for HTTP (in /etc/httpd/alias) and one for LDAP (in /etc/dirsrv/slapd-DOM...). If the certs are not tracked, you need to use getcert start-tracking to track them. - if they are tracked but not renewed, check the journal for certmonger messages. Certmonger should log a message when a certificate is nearing its expiration, and another message when the renewal succeeded.

When the certificates are expired, the method is to stop ntpd, go back in time to a date where the certs were still valid, then manually trigger the renewal using getcert resubmit -i <ID>. In case of errors, examine the journal logs and try to fix the issue, then relaunch getcert resubmit. Once the renewal succeeds, getcert list shows the cert status as MONITORING and you can restart ntpd.

This blog [1] provides a few examples of issues and their resolution

HTH,
Flo

[1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/

If I have to start over, that is certainly an option.  I'm just trying to get a 
better understanding of what I should have been doing to avoid this situation 
in the first place.

Thanks,

j
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to