On Mon, 20 Jan 2020, Rob Crittenden wrote:
Florence Blanc-Renaud via FreeIPA-users wrote:
Sure, you can follow a manual process to remove the self-signed cert:
1- use ldapmodify in order to remove the cert from the LDAP database.
You need first to find the exact dn, and then the exact
cACertificate;binary attribute to delete. It will be stored below
cn=certificates,cn=ipa,cn=etc,$BASEDN.
2- on all the IPA servers, use "certutil -D -d </path/to/db> -n
<nickname>" to remove the cert from the following databases:
/etc/dirsrv/slapd-DOMAIN-COM
/etc/httpd/alias
/etc/pki/pki-tomcat/alias/
/etc/ipa/nssdb
3- on all IPA servers and clients, run ipa-certupdate, this command will
remove the cert from
/usr/share/ipa/html/ca.crt
/var/kerberos/krb5kdc/cacert.pem
/etc/ipa/ca.crt
/var/lib/ipa-client/pki/kdc-ca-bundle.pem
/var/lib/ipa-client/pki/ca-bundle.pem
Thanks for this.
But as Fraser pointed out, there is no need to re-issue the other certs.
He wants to re-issue them because while they are validly signed by the
right key they aren't bound by the dates of the CA apparently.
Correct -- the lifetimes are all hosed, and the installed/served
certificate chains are wrong in numerous places. If nothing else, the
reissued certs at least make it clear which is which. Ongoing issues:
- All of the certificates with the excessive lifetimes should probably
also be removed or revoked after reissue, and I'd prefer to lose the
pile of expired certs as well
- ipa-certupdate won't work on any client which still only knows about the
now-expired IPA CA, which is more than half -- and the rest have all
three chains. There are a few CentOS 6 boxes in the mix, so I guess I
have to figure this out manually either way.
- ipa-certupdate only works at all when run as root with a valid Kerberos
ticket for an admin user, which is difficult when the root account isn't
allowed to login and/or spawn interactive shells
- All now-destroyed replicas need to be rebuilt/replaced, using that to
move up to a current 4.8.x release, and then deal with all the ID /
serial / etc. skew even though replicas are replaced with themselves
I'm still not convinced I wouldn't be better off just trashing what's left
of it and starting over, especially considering that there's only a
handful of users and that I'm going to need to break in to or replace
nearly every host anyway...
-Rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
