Sinh Lam via FreeIPA-users wrote: > Hi Rob - > > The chain should be the same. I’m using a LetsEncrypt certificate and > have previously had it added but I lapsed in renewing it and now when I > attempt to update the cert for LDAP it just complains about the peer > certificate expired. Instead of renewing - I end up regenerating a new > certificate so hopefully I won’t make a bigger mess of things.
So you're good then with the new cert? Note that LE *did* recently change their chaining, so be aware of that. rob > > Thanks again. > > Sinh > > > > On January 26, 2021 at 12:02:26 PM, Rob Crittenden ([email protected] > <mailto:[email protected]>) wrote: > >> Sinh Lam via FreeIPA-users wrote: >> > Hi Rob - >> > >> > Do you have any instructions on manually doing this? I asked a similar >> > question a while ago (and excuses aside) but I haven’t responded back >> > with the requested info. The http cert was updated but I can’t seem to >> > get the 389-ds certificate to update as well. >> >> Assuming the new certificate is from the existing private key and the CA >> chaining hasn't changed then all that needs to happen is to install the >> updated certificate. To do so: >> >> # systemctl stop dirsrv.target >> # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif >> nsSSLPersonalitySSL: SOMETHING >> <make a backup/copy of /etc/dirsrv/slapd-REALM/*.db> >> # certutil -A -d /etc/dirsrv/slapd-REALM -n SOMETHING -t u,u,u -a -i >> /path/to/certificate.pem >> # systemctl start dirsrv.target >> >> Similarly for the Apache cert stop Apache, backup the cert, copy the new >> one, restart. The cert is stored as a PEM in /var/lib/ipa/certs/httpd.crt >> >> Let me stress again that doing this without ensuring that the private >> key and the chaining hasn't changed will only make things worse. >> >> rob >> >> > >> > >> > >> > On January 26, 2021 at 10:17:08 AM, Rob Crittenden via FreeIPA-users >> > ([email protected] >> <mailto:[email protected]> >> > <mailto:[email protected] >> <mailto:[email protected]>>) wrote: >> > >> >> Ahmed ElShafaie via FreeIPA-users wrote: >> >> > Florence >> >> > Thank you so much I really appreciated your help. >> >> > I already did that creating a new ticket using "kinit admin" and it >> >> > accepts the password, But when I apply ipa-certupdate it returns >> >> > "ipa: ERROR: Insufficient access: Invalid credentials" >> >> > >> >> > Even the DM password is correct. >> >> > >> >> > Second, The certificate created almost a month after. is there a >> >> > solution for that >> >> >> >> Are these renewed certificates from the same issuer using the same >> >> private key? Is the CA chain the same? Is this both the Apache and the >> >> 389-ds certificate? >> >> >> >> If so then it should be fairly straightforward to manually replace the >> >> certificates. >> >> >> >> rob >> >> _______________________________________________ >> >> FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> To unsubscribe send an email to >> >> [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> Fedora Code of Conduct: >> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> > To unsubscribe send an email to [email protected] >> <mailto:[email protected]> >> > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> > https://lists.fedorahosted.org/archives/list/[email protected] >> >> > >> > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
