There was a previous email about this.

I suspect what failed was near the end when it was upgrading the CA. As part of 
that process it looks at the certificates for LDAP and HTTP. It expects the 
nicknames in the certificate database to be Server-Cert. However the process of 
installing a 3rd party cert changes the  nickname. The fix is to rename them to 
Server-Cert, and update the config files that refer to them.

Unfortunately certutil’s rename command doesn’t work for the format of 
certificate database used by ipa, so you have to remove the cert and put it 
back with the new nickname. Here’s what the process looked like for me:

certutil -L -d /etc/httpd/alias -n 'krb1-cert' -a -o ~/krb1.cert
certutil -D -d /etc/httpd/alias -n 'krb1-cert'
certutil -A -d /etc/httpd/alias -n "Server-Cert" -t u,u,u -i ~/krb1.cert
emacs /etc/httpd/conf.d/nss.conf
change NSSNickname to Server-Cert

certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU/ -L -a -n 
'CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New 
Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New 
Brunswick,ST=NJ,postalCode=08901,C=US' -o ~/krb1.cert2
certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU/ -D -n 
'CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New 
Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New 
Brunswick,ST=NJ,postalCode=08901,C=US'
certutil -A -d /etc/dirsrv/slapd-CS-RUTGERS-EDU/ -n "Server-Cert" -t u,u,u -i 
~/krb1.cert2

emacs /etc/dirsrv/slapd-CS-RUTGERS-EDU/dse.ldif
change nsSSLPersonalitySSL to Server-Cert

Also, if you’re not using the originally generated certs, removing the process 
that wold update them:

getcert list -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -n Server-Cert
; find requestid 20171002175930 in output
getcert stop-tracking -i 20171002175930

getcert list -d /etc/httpd/alias/ -n Server-Cert
getcert stop-tracking -i 20171002175931

A couple of unexpected things happened during this process, but they are 
probably specific to my system. I had to fixup permissions in /etc/httpd/alias 
for some reason.

> On Oct 11, 2017, at 12:50 PM, Mark Haney via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7 
> (along with updating C7 to 7.4) and it bombed spectacularly.  It seems the 
> upgrade process doesn't like the GoDaddy SSL cert we supplied for HTTPS only. 
>  Is there documentation explaining the process with an HTTPS only SSL cert 
> for IPA?  The last time we tried to set this up it was two weeks worth of 
> headaches before we managed to get it working (and I didn't do it, so it 
> wasn't documented), I mention that because I got a concussion from slamming 
> my head against my desk trying to get it working.
> 
> I don't want to replace the CA cert in IPA, just use the GD cert for HTTPS so 
> Chrome, et al, won't bark about it.
> 
> I've googled this, but there's so much conflicting info, I'm not sure what's 
> really good or bad. Seems there are fifteen ways to setup SSL certs, but none 
> are clear (to me) on what's the correct method for just HTTPS.
> 
> -- 
> Mark Haney
> Network Engineer at NeoNova
> 919-460-3330 option 1
> mark.ha...@neonova.net
> https://na01.safelinks.protection.outlook.com/?url=www.neonova.net&data=02%7C01%7Chedrick%40rutgers.edu%7Ca20459a6ad244cf2931b08d510c8e976%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636433377463141558&sdata=LPKRKhoAx6vY1ZUkMYEdUQuwA%2F9eKG7fme3x9Tbyi%2FU%3D&reserved=0
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to