On 11/17/2017 06:41 PM, Matt . via FreeIPA-users wrote:
Hi Guys,
Is there a proven way to set the WebGui cert back to a self signed one
? I have installed an expired 3rd party certificate and want to move
back to a selfsigned cert and later on to an letsEncrypt one.
Setting back the time before the expiration of the certificate on the
server would be a start and also disable all nameservers in
/etc/resolv.conf so the time is not updated on an ipa start/restart.
But what then ? Is there no "reset command/way available" ?
Thanks!
Matt
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
you can stop ntpd (or chronyd) to avoid automatic time update.
If you are able to go back in time when your 3rd-part cert is still
valid (and all IPA services are working), then you can switch to using
another cert with ipa-server-certinstall tool as described in [1].
Caution, if the new cert is signed by a different CA, you need first to
use "ipa-cacert-manage install" in order to put the CA in the relevant
NSS databases, then ipa-certupdate on *all* machines
(server/replicas/clients).
One clarification, though: when you mention "self-signed cert", do you
really mean self-signed certificate or "a HTTP certificate signed by IPA
CA"? In the latter case, if you want IPA CA to generate a new cert for
the HTTP service, you can use the GUI (Identity > Services, then select
HTTP/$hostname and Actions> New certificate). The GUI will provide you
with the commands to generate a new certificate suitable for the HTTP
service, and you will be able to use this new cert with
ipa-server-certinstall.
HTH,
Flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/third-party-certs-http-ldap
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org