Hi, On Fri, Jun 13, 2025 at 8:07 PM Ty zang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hello all, > I am hoping to get some help on my ssl certificate replacement issues that > I am having on my IPA server. The SSL certificate that the web interface > uses (third party signed) expired, and I am having a hell of a time getting > it replaced properly. To add to the problems, my root and issuer expired a > few months ago and have been replaced. This means that the new certificate > has been signed by a different issuer. > > The stage: > Server: Oracle Linux 7.9 > IPA Version: 4.6.8 > Certificate Info: Signed by my issuer (ICA) which is signed by the > root, so server > issuer > root is the entire chain. > > Here is what I have done, in order, so far: > # Create a pfx that includes the server name as SAN DNS name, and CN name. > Standard process.. > > # Delete the old chain files that are expired > certutil -D -d /etc/httpd/alias -n “MY OLD ROOT” > certutil -D -d /etc/httpd/alias -n “MY OLD ISSUER” > certutil -D -d /etc/pki/pki-tomcat/alias -n “MY OLD ROOT” > certutil -D -d /etc/pki/pki-tomcat/alias -n “MY OLD ISSUER” > certutil -D -d /etc/dirsrv/slapd-IDM-DOMAIN-COM -n “MY OLD ROOT” > certutil -D -d /etc/dirsrv/slapd-IDM-DOMAIN-COM “MY OLD ISSUER” > > # Import the new chain files > certutil -A -d /etc/httpd/alias -n “root” -t CT,C,C -a -I root.pem > certutil -A -d /etc/httpd/alias -n “issuer” -t CT,C,C -a -I issuer.pem > certutil -A -d /etc/pki/pki-tomcat/alias -n “root” -t CT,C,C -a -I root.pem > certutil -A -d /etc/pki/pki-tomcat/alias -n “issuer” -t CT,C,C -a -I > issuer.pem > certutil -A -d /etc/dirsrv/slapd-IDM-DOMAIN-COM -n “root” -t CT,C,C -a -I > root.pem > certutil -A -d /etc/dirsrv/slapd-IDM-DOMAIN-COM “issuer” -t CT,C,C -a -I > issuer.pem > > # Verified > certutil -L -d /etc/httpd/alias > certutil -L -d /etc/pki/pki-tomcat/alias > certutil -L -d /etc/dirsrv/slapd-IDM-DOMAIN-COM > > # Start ipa as much as it can > ipactl restart --ignore-service-failure > > # Install new cert > ipa-server-certinstall -w ipa-srv-01.pfx > ipa-server-certinstall -d ipa-srv-01.pfx > > # Restart things > systemctl restart httpd dirsrv@* > ipactl restart > > At this point, things look good. The ipactl status shows “running” on all > services and the GUI comes up in my browser with a valid, https > certificate. I am unable to log in and any type of “ipa” command ran from > command line throws this error: > > ipa: ERROR: cannot connect to https://ipa-srv-01.domain.com/ipa/json: > [SSL: CERTIFICATE_VERIFY_FAILED] > > The only error I can find is under /var/log/httpd/error_log: > > SSL Library Error: the server has rejected your certificate as expired > INFO: 401 unauthorized: [SSL: CERTIFICATE_VERIFY FAILED] > > There are other places where the CA certificate is stored. In your case, I think the CA cert is missing from the file /etc/ipa/ca.crt. Under normal circumstances (when everything is still valid), one needs to run the command (on one of the servers) ipa-cacert-manage install -t CT,C,C /path/to/new/ca.crt and then (on all the servers/replicas/clients) ipa-certupdate as the 1st command puts the new CA cert in the LDAP database and the 2nd one downloads the CA certs from LDAP and populates all the files when the cert is needed. If they fail, you can manually edit /etc/ipa/ca.crt and add the new CA cert there. HTH, flo > Oddly, I can run openssl s_client -showcerts -connect ipa….:443 and the > certificate returned to me is the valid, new certificate and chain. Is > there another location that I possibly missed? I have no idea what httpd is > trying to use. > > I am really confused as to why openssl returns the proper cert but the > commands are saying its expired? > > Thanks all! > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
