Azim Siddiqui via FreeIPA-users wrote: > Hello All, > > I have created my certificates with the steps provided and still getting > the certificate error. And laos i have restart my ipa server, but still > it is not resolving the issue.
We need details. rob > > On Sun, Mar 24, 2019 at 12:02 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > You've been asked multiple times to keep the list on all replies. This > is so others can benefit or perhaps chime in with additional > suggestions. > > Azim Siddiqui wrote: > > Hi Rob, > > > > I tried running getcert command, but it's not listing anything. ( Do I > > need to run this command on IPA server or other Jenkins, Git > server ? ) > > I'd try on all of them. Who knows what the previous admin did. It is no > big loss if you can't find one. > > > And also I couldn't able to find the private key. > > You need to look in the configuration for those individual services. > They have to refer to some key and cert in order for TLS to work at all. > > > Can I generate a new private key ? If yes then, can you please tell me > > the commands to run? > > You don't need to maintain the current private key even if you find it. > > If you don't find certmonger tracking then assuming the machine(s) are > IPA clients you can use ipa-getcert to request and track the > certificate. This should do renewal as well. > > I wrote up a generic how to get a cert for a web server a few months > ago, > > https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-my-web-site-with-ipa/ > > rob > > > > > Thanks & Regards, > > Azeem > > > > > > > > > > > > On Fri, 22 Mar 2019 at 16:02, Rob Crittenden <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Azim Siddiqui via FreeIPA-users wrote: > > > Hi Rob, > > > > > > Thank you for your email. > > > > > > So here's the thing, We have a total of five servers in our > > environment. > > > FreeIPA is installed on one of the servers. And the other > servers have > > > Tomcat, Jenkins, Git and Haprxy running on the servers. So > when i am > > > trying to access URL's for this application, for example- Git or > > > Jenkins, It is showing Site is not secured. So basically the > > certificate > > > has been expired. And also I can see the certificates are > from IPA. > > > > > > So now I am looking for a way to renew or create new certs > for my > > > current expired certs, which are from IPA. So that my URLs > will be > > secured. > > > It's been more than a month, But I am not finding a correct > process > > > for this. > > > > > > P.s :- The currently expired certs were created by a System > admin, who > > > is not working for us now. > > > > Ok so /etc/pki/nssdb is not what you want. > > > > Look to see how those services are configured to find where their > > certificate(s) are on the filesystem. > > > > Run getcert list as root to see if the certs were originally > requested > > using certmonger (I'm guessing not since you say they are > expired). > > > > Once you find the cert files you might also find the original > CSR. If > > not you can pretty easily generate a new one using the private > key you > > find. Submit that to IPA using ipa cert_request and that > should resolve > > things for you. > > > > rob > > > > > > > > Thanks & Regards, > > > Azeem > > > > > > On Fri, 22 Mar 2019 at 08:50, Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > Azim Siddiqui via FreeIPA-users wrote: > > > > Hi Florence, > > > > > > > > I want to extract the private key and certificate to a PEM > > file. > > > > I am talking about the nssdb which is located > in /etc/pki path. > > > > > > > > Content of nssdb :- > > > > certutil -L -d /etc/pki/nssdb/ > > > > > > > > Certificate Nickname > > > Trust > > > > Attributes > > > > > > > > > SSL,S/MIME,JAR/XPI > > > > > > > > IPA.CLEAR-MARKETS.COM <http://IPA.CLEAR-MARKETS.COM> > <http://IPA.CLEAR-MARKETS.COM> > > <http://IPA.CLEAR-MARKETS.COM> > > > <http://IPA.CLEAR-MARKETS.COM> IPA CA > > > > CT,C,C > > > > > > > > > > > > Is this the correct directory to extract the private > key and > > > > certificate? Will it work if I extract the private key > from > > nssdb and > > > > renew the certificate? > > > > > > The threading for this is a bit off so I can't follow the > > reasoning for > > > this. > > > > > > There is no private key in that directory, only the CA > public > > > certificate. If you need that in PEM it is likely already on > > the machine > > > in /etc/ipa/ca.crt. > > > > > > What is your ultimate goal here? > > > > > > rob > > > > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > > > > > > On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud > > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> wrote: > > > > > > > > On 3/19/19 7:07 PM, Azim Siddiqui wrote: > > > > > Hi, > > > > > > > > > > I was wondering is there any way, I can extract the > > private > > > key and > > > > > certificate from nssdb directory? Bcoz the one key i > > have is not > > > > > matching to the certifficate. > > > > > > > > > Hi > > > > I am insisting, but please keep freeipa-users in copy. > > > > > > > > What do you mean by "extract"? Do you want to > remove the key > > > from the > > > > nssdb? or transform it into another format? > > > > To remove a private key from a nssdb, use the certutil > > command > > > with -F > > > > option. You can find the full format in the man page > > certutil(1). > > > > > > > > If you want to create a PKCS12 file containing the > > private key and > > > > certificate: > > > > pk12util -o keys.p12 -n $alias -d $NSSDB > > > > > > > > If you want a PEM file containing the private key: > > > > pk12util -o keys.p12 -n $alias -d $NSSDB > > > > openssl pkcs12 -in keys.p12 -out cert.key -nodes > > > > > > > > If you want a PEM file containing the cert: > > > > certutil -L -d $NSSDB -n $alias -a -o cert.pem > > > > > > > > But first of all, which NSSDB directory are you > working > > with? > > > A NSSDB > > > > can contain multiple keys and certificates, and also > > certificates > > > > without matching private keys. Can you show the > content of > > > your NSSDB? > > > > certutil -L -d $NSSDB > > > > certutil -K -d $NSSDB > > > > > > > > flo > > > > > Thanks, > > > > > Azeem > > > > > > > > > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud > > > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>> wrote: > > > > > > > > > > On 3/19/19 4:18 PM, Azim Siddiqui wrote: > > > > > > Hi Florence, > > > > > > > > > > > > Thanks for the info. I will check for the > > > ipa cert-find command > > > > > and will > > > > > > send you the output. Actually, when I am > trying to > > > do $ kinit > > > > > admin it > > > > > > is asking for a password. And I am not sure > > about the > > > > password, as I > > > > > > said it was set by the previous system admin. > > > > > > > > > > > Hi > > > > > (re-adding freeipa-users in cc) > > > > > > > > > > if you do kinit -kt /etc/krb5.keytab you > should also > > > have enough > > > > > permissions to perform ipa cert-find. > > > > > > > > > > > And also I can see there is > nssdb directory on the > > > server. > > > > Do you > > > > > by any > > > > > > chance know, what is that for? > > > > > There are many nssdb directories on a > FreeIPA system. > > > For instance > > > > > /etc/ipa/nssdb is the NSS database used by > the ipa * > > > commands. It > > > > > contains the certificates of the trusted > certificate > > > > authorities. You > > > > > can find more information re. NSS databases > in the man > > > page for > > > > > certutil(1). > > > > > > > > > > > > > > > > > If I have the private key on the server, > how can I > > > renew the > > > > > certificate > > > > > > signed by IPA. can you please provide me > the steps. > > > > > If you have the private key in $NSSDB > database you > > just need > > > > to follow > > > > > the steps provided in my first email > > > > > > > > > > > > > > > > (https://lists.fedorahosted.org/archives/list/[email protected]/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/). > > > > > > > > > > flo > > > > > > > > > > > > thanks & Regards, > > > > > > Azeem > > > > > > > > > > > > On Tue, 19 Mar 2019 at 04:57, Florence > Blanc-Renaud > > > > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>>> wrote: > > > > > > > > > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > > > > > > Hi Florence, > > > > > > > > > > > > > > Thanks for your reply. > > > > > > > I am referring to the > applications. For > > > example, we have > > > > > > > Apache,haproxy,jenkins,git which uses > > certs signed > > > > by IPA. And > > > > > > now when > > > > > > > I am browsing these applications > urls. It is > > > > showing, this > > > > > site > > > > > > is not > > > > > > > secured. > > > > > > > And originally, This cert were created > > by a system > > > > admin, > > > > > who is not > > > > > > > working with us now. So its > getting hard > > for me to > > > > figure out, > > > > > > how can I > > > > > > > create or renew the certs. > > > > > > > > > > > > > > And I don't see any files ssl.conf or > > nss.conf in > > > > the server. > > > > > > > The output for getcert list command > > shows this :- > > > > > > > getcert list > > > > > > > Number of certificates and > requests being > > > tracked: 0. > > > > > > > > > > > > > > > > > > > > > I just want to create a crt and > key file > > signed by > > > > IPA. So > > > > > that I > > > > > > can > > > > > > > use it for the browsers. > > > > > > Hi, > > > > > > > > > > > > please keep the users mailing list in cc, > > so that > > > everyone > > > > > can get > > > > > > involved/see the resolution. > > > > > > > > > > > > It is difficult to provide advice > with so few > > > information. > > > > > Can you > > > > > > start > > > > > > by checking which certificates were > already > > issued by > > > > > FreeIPA, and > > > > > > we'll > > > > > > see if they are expired? > > > > > > > > > > > > $ kinit admin > > > > > > $ ipa cert-find > > > > > > > > > > > > With the full output and based on the > subject > > > you'll be > > > > able to > > > > > > identify > > > > > > the host or service certs that you are > > using for your > > > > > applications. For > > > > > > each of these certs, run > > > > > > $ kinit admin > > > > > > $ ipa cert-show <serial number> > > > > > > and the output will show if the cert > is expired > > > (check the > > > > > Not After > > > > > > field). > > > > > > > > > > > > For an expired cert, you will be able > to renew > > > the cert if > > > > > you still > > > > > > have the private key. The private key > location > > > can be found > > > > > by checking > > > > > > the configuration of your applications. > > > > > > For instance apache on rhel or fedora > > stores its > > > config in > > > > > > /etc/httpd/conf/httpd.conf, which by > default > > > loads the > > > > modules in > > > > > > conf.modules.d/*.conf and the config > files in > > > > conf.d/*.conf. > > > > > > > > > > > > flo > > > > > > > > > > > > > > Thanks, > > > > > > > Azeem > > > > > > > > > > > > > > > > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence > > > Blanc-Renaud > > > > > > <[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>> > > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>>>> wrote: > > > > > > > > > > > > > > On 3/15/19 8:16 PM, Azim > Siddiqui wrote: > > > > > > > > Hi Florence, > > > > > > > > > > > > > > > > Hope you are doing good. I > tried the > > > way you > > > > said. But > > > > > > still, it is > > > > > > > > showing certificate is expired. > > > > > > > > > > > > > > > > Let me be more clear about it. > > > > > > > > > > > > > > > > We have apache running with an > > expired > > > > certificate > > > > > which is > > > > > > > signed by > > > > > > > > FreeIPA. Now I want to renew or > > create > > > a new > > > > > certificate. > > > > > > So can you > > > > > > > > please tell me how can I > renew or > > > create a new > > > > > certificate > > > > > > signed by > > > > > > > > Freeipa. > > > > > > > > As whenever I am going to > the Apache > > > URL from the > > > > > browser, > > > > > > it is > > > > > > > showing > > > > > > > > site is not secured. > > > > > > > > > > > > > > > > Thanks & Regards, > > > > > > > > Azeem > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > (re-adding freeipa-users in CC). > > > > > > > Can you first confirm that you are > > > referring to > > > > a cert for > > > > > > the apache > > > > > > > server *not running on one of the > > FreeIPA > > > masters*? > > > > > > > > > > > > > > Then please explain how you > originally > > > obtained the > > > > > > certificate. Also > > > > > > > include the following information: > > > > > > > - relevant apache > configuration (if > > using > > > > mod_ssl, then > > > > > > > /etc/httpd/conf.d/ssl.conf or > if using > > > mod_nss, > > > > > > > /etc/httpd/conf.d/nss.conf). > > > > > > > - output of getcert list on > the host > > > running apache > > > > > > > > > > > > > > flo > > > > > > > > > > > > > > > On Wed, 19 Dec 2018 at 14:04, > > Florence > > > > Blanc-Renaud > > > > > > > <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>> > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>>> > > > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>> > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>>>>> wrote: > > > > > > > > > > > > > > > > On 12/13/18 4:04 PM, Azim > > Siddiqui via > > > > > FreeIPA-users > > > > > > wrote: > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > Hope you are doing > good. I > > have > > > a question > > > > > regarding > > > > > > > freeIPA host > > > > > > > > > certificates. > > > > > > > > > We are using FreeIPA as > > our LDAP. We > > > > have some > > > > > > > certificates for > > > > > > > > hosts ex > > > > > > > > > :- http/uat.com > <http://uat.com> > > <http://uat.com> <http://uat.com> > > > <http://uat.com> > > > > <http://uat.com> > > > > > <http://uat.com> <http://uat.com> > > > > > > <http://uat.com> > > > > > > > <http://uat.com>. > > > > > > > > > And we deploying the > certs in > > > Haproxy > > > > in PEM > > > > > format. > > > > > > > > > But the certificates > for this > > > host has > > > > been > > > > > expired. > > > > > > > > > Can you please let > me know > > in detail > > > > how to > > > > > renew > > > > > > my expired > > > > > > > > > certificates for the > hosts. > > > Please provide > > > > > me the > > > > > > commands > > > > > > > and steps. > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > from your description I > > understand that > > > > you are > > > > > > referring to > > > > > > > > certificates delivered > by IPA CA > > > for one > > > > of the > > > > > > IPA-enrolled > > > > > > > hosts, but > > > > > > > > not the master's > Server-Cert used > > > for IPA > > > > Web GUI. > > > > > > > > > > > > > > > > In this case, how did you > > obtain the > > > > > certificate? If > > > > > > you used > > > > > > > a method > > > > > > > > similar to what is > described in > > > this wiki > > > > [1], the > > > > > > certificate > > > > > > > > should be > > > > > > > > monitored by certmonger and > > > automatically > > > > renewed. > > > > > > > > > > > > > > > > If you followed instead > this wiki > > > [2], the > > > > > certificate > > > > > > is not > > > > > > > > tracked by > > > > > > > > certmonger and needs to be > > manually > > > renewed. > > > > > You need > > > > > > to do the > > > > > > > > following, assuming > that the cert > > > is in a NSS > > > > > database > > > > > > $NSSDB > > > > > > > on the > > > > > > > > IPA > > > > > > > > client: > > > > > > > > - find the key nickname > > > > > > > > # certutil -K -d $NSSDB > > > > > > > > certutil: Checking > token "NSS > > > Certificate DB" > > > > > in slot "NSS > > > > > > > User Private > > > > > > > > Key and Certificate > Services" > > > > > > > > Enter Password or Pin > for "NSS > > > > Certificate DB": > > > > > > > > < 0> rsa > > > > > > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > > > > > > Certificate > > > > > > > > DB:Server-Cert > > > > > > > > (note the key nickname for > > the next > > > command) > > > > > > > > > > > > > > > > - create a new certificate > > request > > > that will > > > > > re-use the > > > > > > > existing key > > > > > > > > (replace DOMAIN.COM > <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > > <http://DOMAIN.COM> > > > > > <http://DOMAIN.COM> > > > > > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > > > > > with your IPA domain, in > > > > > > > > uppercase): > > > > > > > > # certutil -R -d $NSSDB > -k "NSS > > > Certificate > > > > > > DB:Server-Cert" -s > > > > > > > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> > > > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > > > <http://DOMAIN.COM> > > > > > > <http://DOMAIN.COM> > > > > > > > <http://DOMAIN.COM>" -a -o > /tmp/cert.csr > > > > > > > > Enter Password or Pin > for "NSS > > > > Certificate DB": > > > > > > > > > > > > > > > > - request a certificate > using > > the new > > > > > certificate request > > > > > > > > # kinit admin > > > > > > > > # ipa cert-request > > > > --principal=HTTP/`hostname` > > > > > > /tmp/web.csr > > > > > > > > (the output will > display a Serial > > > Number that > > > > > needs to be > > > > > > > noted for the > > > > > > > > next command) > > > > > > > > > > > > > > > > - remove the previous cert > > from the NSS > > > > database: > > > > > > > > # certutil -D -d $NSSDB -n > > Server-Cert > > > > > > > > > > > > > > > > - export the > certificate to a > > file, > > > then > > > > import the > > > > > > > certificate in the > > > > > > > > NSS database: > > > > > > > > # ipa cert-show > $SERIAL_NUMBER > > > > > --out=/tmp/server.crt > > > > > > > > # certutil -A -d $NSSDB -n > > > Server-Cert -t > > > > u,u,u -i > > > > > > > /tmp/server.crt > > > > > > > > > > > > > > > > HTH, > > > > > > > > flo > > > > > > > > > > > > > > > > [1] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger > > > > > > > > [2] > > > > > > > > > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > > > > > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > > > > > > > > > > > Thanks & Regards, > > > > > > > > > Azeem > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > FreeIPA-users > mailing list -- > > > > > > > > > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>>> > > > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>>>> > > > > > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>>> > > > > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]> > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
