Hello all,
I am hoping to get some help on my ssl certificate replacement issues that I am 
having on my IPA server. The SSL certificate that the web interface uses (third 
party signed) expired, and I am having a hell of a time getting it replaced 
properly. To add to the problems, my root and issuer expired a few months ago 
and have been replaced. This means that the new certificate has been signed by 
a different issuer.

The stage:
Server:     Oracle Linux 7.9
IPA Version:      4.6.8
Certificate Info:     Signed by my issuer (ICA) which is signed by the root, so 
server > issuer > root is the entire chain.

Here is what I have done, in order, so far:
# Create a pfx that includes the server name as SAN DNS name, and CN name. 
Standard process..

# Delete the old chain files that are expired
certutil -D -d /etc/httpd/alias -n “MY OLD ROOT”
certutil -D -d /etc/httpd/alias -n “MY OLD ISSUER”
certutil -D -d /etc/pki/pki-tomcat/alias -n “MY OLD ROOT”
certutil -D -d /etc/pki/pki-tomcat/alias -n “MY OLD ISSUER”
certutil -D -d /etc/dirsrv/slapd-IDM-DOMAIN-COM -n “MY OLD ROOT”
certutil -D -d /etc/dirsrv/slapd-IDM-DOMAIN-COM “MY OLD ISSUER”

# Import the new chain files
certutil -A -d /etc/httpd/alias -n “root” -t CT,C,C -a -I root.pem
certutil -A -d /etc/httpd/alias -n “issuer” -t CT,C,C -a -I issuer.pem
certutil -A -d /etc/pki/pki-tomcat/alias -n “root” -t CT,C,C -a -I root.pem
certutil -A -d /etc/pki/pki-tomcat/alias -n “issuer” -t CT,C,C -a -I issuer.pem
certutil -A -d /etc/dirsrv/slapd-IDM-DOMAIN-COM -n “root” -t CT,C,C -a -I 
root.pem
certutil -A -d /etc/dirsrv/slapd-IDM-DOMAIN-COM “issuer” -t CT,C,C -a -I 
issuer.pem

# Verified 
certutil -L -d /etc/httpd/alias
certutil -L -d /etc/pki/pki-tomcat/alias
certutil -L -d /etc/dirsrv/slapd-IDM-DOMAIN-COM

# Start ipa as much as it can
ipactl restart --ignore-service-failure

# Install new cert 
ipa-server-certinstall -w ipa-srv-01.pfx
ipa-server-certinstall -d ipa-srv-01.pfx

# Restart things
systemctl restart httpd dirsrv@*
ipactl restart

At this point, things look good. The ipactl status shows “running” on all 
services and the GUI comes up in my browser with a valid, https certificate. I 
am unable to log in and any type of “ipa” command ran from command line throws 
this error:

ipa: ERROR: cannot connect to https://ipa-srv-01.domain.com/ipa/json: [SSL: 
CERTIFICATE_VERIFY_FAILED]

The only error I can find is under /var/log/httpd/error_log:

SSL Library Error: the server has rejected your certificate as expired
INFO: 401 unauthorized: [SSL: CERTIFICATE_VERIFY FAILED]

Oddly, I can run openssl s_client -showcerts -connect ipa….:443 and the 
certificate returned to me is the valid, new certificate and chain. Is there 
another location that I possibly missed? I have no idea what httpd is trying to 
use. 

I am really confused as to why openssl returns the proper cert but the commands 
are saying its expired?

Thanks all!
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to