[Freeipa-users] Re: Last FreeIPA master is failing

[Florence Blanc-Renaud via FreeIPA-users]

On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote:
# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
DSTRootCAX3                                                  C,,
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
letsencryptx3                                                C,,
letsencryptx3                                                C,,
ISRGRootCAX1                                                 C,,
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


Hi,

ipa-cert-fix man page explicitely states that it cannot renew 
certificates signed by external CAs:

----- 8< -----
This tool cannot renew certificates signed by external CAs.  To install
new, externally-signed HTTP, LDAP or KDC certificates, use  ipa-server-
certinstall(1).
----- >8 -----

In your case, you need to use the ipa-server-certinstall command to 
replace the expired letsencrypt certs:
- change the date on the server to a date when the certificate was still 
valid
- start IPA services (except ntpd/chronyd, otherwise the date will be reset)
- use ipa-server-certinstall as described in "Installing Third-Party 
Certificates for HTTP or LDAP" [1] with the new certificates
- set the date back to the real current date

A few additional tips:
- when some services fail to start and trigger the shutdown of the whole 
IPA stack, you can use the --ignore-service-failures option of ipactl:
# ipactl start --ignore-service-failures

- ipaCert is not stored any more in the NSS database /etc/httpd/alias, 
it is now in /var/lib/ipa/ra-agent.{key|pem}

HTH,
flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#third-party-certs-http-ldap
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org