Sinh Lam via FreeIPA-users wrote: > I haven’t had the chance to try this out. My plan was to spin up a > backup of the current server and try these settings there and go from > there. The less chance that I’ll need to re-do everything going that route.
A user made some nice enhancements to https://github.com/freeipa/freeipa-letsencrypt/ recently which simplifies obtaining and installing the LE chain. It requires a working IPA server. rob > > > > On January 28, 2021 at 10:59:15 AM, Rob Crittenden ([email protected] > <mailto:[email protected]>) wrote: > >> Sinh Lam via FreeIPA-users wrote: >> > Hi Rob - >> > >> > The chain should be the same. I’m using a LetsEncrypt certificate and >> > have previously had it added but I lapsed in renewing it and now when I >> > attempt to update the cert for LDAP it just complains about the peer >> > certificate expired. Instead of renewing - I end up regenerating a new >> > certificate so hopefully I won’t make a bigger mess of things. >> >> So you're good then with the new cert? >> >> Note that LE *did* recently change their chaining, so be aware of that. >> >> rob >> >> > >> > Thanks again. >> > >> > Sinh >> > >> > >> > >> > On January 26, 2021 at 12:02:26 PM, Rob Crittenden ([email protected] >> > <mailto:[email protected]> >> > <mailto:[email protected] <mailto:[email protected]>>) wrote: >> > >> >> Sinh Lam via FreeIPA-users wrote: >> >> > Hi Rob - >> >> > >> >> > Do you have any instructions on manually doing this? I asked a similar >> >> > question a while ago (and excuses aside) but I haven’t responded back >> >> > with the requested info. The http cert was updated but I can’t seem to >> >> > get the 389-ds certificate to update as well. >> >> >> >> Assuming the new certificate is from the existing private key and the CA >> >> chaining hasn't changed then all that needs to happen is to install the >> >> updated certificate. To do so: >> >> >> >> # systemctl stop dirsrv.target >> >> # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif >> >> nsSSLPersonalitySSL: SOMETHING >> >> <make a backup/copy of /etc/dirsrv/slapd-REALM/*.db> >> >> # certutil -A -d /etc/dirsrv/slapd-REALM -n SOMETHING -t u,u,u -a -i >> >> /path/to/certificate.pem >> >> # systemctl start dirsrv.target >> >> >> >> Similarly for the Apache cert stop Apache, backup the cert, copy the new >> >> one, restart. The cert is stored as a PEM in /var/lib/ipa/certs/httpd.crt >> >> >> >> Let me stress again that doing this without ensuring that the private >> >> key and the chaining hasn't changed will only make things worse. >> >> >> >> rob >> >> >> >> > >> >> > >> >> > >> >> > On January 26, 2021 at 10:17:08 AM, Rob Crittenden via FreeIPA-users >> >> > ([email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> > <mailto:[email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>>>) wrote: >> >> > >> >> >> Ahmed ElShafaie via FreeIPA-users wrote: >> >> >> > Florence >> >> >> > Thank you so much I really appreciated your help. >> >> >> > I already did that creating a new ticket using "kinit admin" and it >> >> >> > accepts the password, But when I apply ipa-certupdate it returns >> >> >> > "ipa: ERROR: Insufficient access: Invalid credentials" >> >> >> > >> >> >> > Even the DM password is correct. >> >> >> > >> >> >> > Second, The certificate created almost a month after. is there a >> >> >> > solution for that >> >> >> >> >> >> Are these renewed certificates from the same issuer using the same >> >> >> private key? Is the CA chain the same? Is this both the Apache and the >> >> >> 389-ds certificate? >> >> >> >> >> >> If so then it should be fairly straightforward to manually replace the >> >> >> certificates. >> >> >> >> >> >> rob >> >> >> _______________________________________________ >> >> >> FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> >> <mailto:[email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>>> >> >> >> To unsubscribe send an email to >> >> >> [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> >> <mailto:[email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>>> >> >> >> Fedora Code of Conduct: >> >> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> >> List Archives: >> >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> >> >> >> > >> >> > _______________________________________________ >> >> > FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> > To unsubscribe send an email to >> >> > [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> > Fedora Code of Conduct: >> >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> > List Archives: >> >> > https://lists.fedorahosted.org/archives/list/[email protected] >> >> >> >> >> > >> >> >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> > To unsubscribe send an email to [email protected] >> <mailto:[email protected]> >> > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> > https://lists.fedorahosted.org/archives/list/[email protected] >> >> > >> > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
