On 10/10/2017 04:31 PM, Rob Crittenden wrote:
Josh wrote:
Greetings to all,

A follow up on

I missed expiration date and now ipa-certupdate command fails with SSL:

Should I update httpd certificate manually or there is a workaround to
allow ipa-certupdate to proceed?

You could try going back in time when the certs are still valid to try the certupdate.
I really don't like doing that...
Or manually updating the certs could work too.
Let me describe all the steps I did because I could not find any good description in chapter 26 here

1. generate CSR
$ sudo certutil -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt -R -s `sudo certutil -d /etc/httpd/alias -L | grep u,u,u | cut -f 1 -d\ ` -k `sudo certutil -d /etc/httpd/alias -L | grep u,u,u | cut -f 1 -d\ ` -a -o my.csr

2. submit my.csr to external certificate authority and acquire server certificate and certificate chain (bundle).

3. break bundle into individual certificates and install them one by one starting from the last one in bundle and moving to the first:
$ ipa-cacert-manage install last.pem
$ ipa-cacert-manage install last-1.pem
$ ipa-cacert-manage install last-3.pem
At this point ipa-certupdate command is needed but it can't run because existing server certificate has expired. Skip #4 if existing is still valid.

4. install intermediate certificates manually
$ sudo certutil -d /etc/httpd/alias -A -i last.pem -n "$(openssl x509 -in last.pem -text -noout | grep Subject: | sed -e 's/.*Subject: \(.*\)/\1/')" -t C,, $ sudo certutil -d /etc/httpd/alias -A -i last-1.pem -n "$(openssl x509 -in last-1.pem -text -noout | grep Subject: | sed -e 's/.*Subject: \(.*\)/\1/')" -t C,, $ sudo certutil -d /etc/httpd/alias -A -i last-2.pem -n "$(openssl x509 -in last-2.pem -text -noout | grep Subject: | sed -e 's/.*Subject: \(.*\)/\1/')" -t C,,

4.1 take a note of server certificate nickname as NICK output of
$ sudo certutil -d /etc/httpd/alias -L | grep u,u,u | cut -f 1 -d' '

4.2 delete old server certificate
$ sudo certutil -d /etc/httpd/alias -D -n $NICK

4.3 install new
$ sudo certutil -d /etc/httpd/alias -A -i servercert.pem -n $NICK -t u,u,u

4.4 Restart httpd to pick up new certificate
$ sudo systemctl restart httpd

5. Run ipa-certupdate (on all the servers and clients) to propagate all CA bundle certificates.

How am I supposed to use
$ sudo ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
as described in
since ssl.key has never been extracted out of credential store and technically is not at all needed as shown in #4 above?

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to