Hello all, I am hoping to get some help on my ssl certificate replacement issues that I am having on my IPA server. The SSL certificate that the web interface uses (third party signed) expired, and I am having a hell of a time getting it replaced properly. To add to the problems, my root and issuer expired a few months ago and have been replaced. This means that the new certificate has been signed by a different issuer.
The stage: Server: Oracle Linux 7.9 IPA Version: 4.6.8 Certificate Info: Signed by my issuer (ICA) which is signed by the root, so server > issuer > root is the entire chain. Here is what I have done, in order, so far: # Create a pfx that includes the server name as SAN DNS name, and CN name. Standard process.. # Delete the old chain files that are expired certutil -D -d /etc/httpd/alias -n “MY OLD ROOT” certutil -D -d /etc/httpd/alias -n “MY OLD ISSUER” certutil -D -d /etc/pki/pki-tomcat/alias -n “MY OLD ROOT” certutil -D -d /etc/pki/pki-tomcat/alias -n “MY OLD ISSUER” certutil -D -d /etc/dirsrv/slapd-IDM-DOMAIN-COM -n “MY OLD ROOT” certutil -D -d /etc/dirsrv/slapd-IDM-DOMAIN-COM “MY OLD ISSUER” # Import the new chain files certutil -A -d /etc/httpd/alias -n “root” -t CT,C,C -a -I root.pem certutil -A -d /etc/httpd/alias -n “issuer” -t CT,C,C -a -I issuer.pem certutil -A -d /etc/pki/pki-tomcat/alias -n “root” -t CT,C,C -a -I root.pem certutil -A -d /etc/pki/pki-tomcat/alias -n “issuer” -t CT,C,C -a -I issuer.pem certutil -A -d /etc/dirsrv/slapd-IDM-DOMAIN-COM -n “root” -t CT,C,C -a -I root.pem certutil -A -d /etc/dirsrv/slapd-IDM-DOMAIN-COM “issuer” -t CT,C,C -a -I issuer.pem # Verified certutil -L -d /etc/httpd/alias certutil -L -d /etc/pki/pki-tomcat/alias certutil -L -d /etc/dirsrv/slapd-IDM-DOMAIN-COM # Start ipa as much as it can ipactl restart --ignore-service-failure # Install new cert ipa-server-certinstall -w ipa-srv-01.pfx ipa-server-certinstall -d ipa-srv-01.pfx # Restart things systemctl restart httpd dirsrv@* ipactl restart At this point, things look good. The ipactl status shows “running” on all services and the GUI comes up in my browser with a valid, https certificate. I am unable to log in and any type of “ipa” command ran from command line throws this error: ipa: ERROR: cannot connect to https://ipa-srv-01.domain.com/ipa/json: [SSL: CERTIFICATE_VERIFY_FAILED] The only error I can find is under /var/log/httpd/error_log: SSL Library Error: the server has rejected your certificate as expired INFO: 401 unauthorized: [SSL: CERTIFICATE_VERIFY FAILED] Oddly, I can run openssl s_client -showcerts -connect ipa….:443 and the certificate returned to me is the valid, new certificate and chain. Is there another location that I possibly missed? I have no idea what httpd is trying to use. I am really confused as to why openssl returns the proper cert but the commands are saying its expired? Thanks all! -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue