Ian Stokes-Rees wrote:
  Hello,

We have a deployment of IPA that we have been using successfully for 185
days. We are 3 days past the "half year" mark, and the self-signed cert
that was created with the original IPA install (FreeIPA v2 alpha) has
expired. I have created a new self-signed cert, PKCS#12 format, but I
cannot load it using the command:

ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap


When I try this, I am asked for:

Directory Manager password:


And I have no idea what this would be. I've tried the Kerberos "admin"
password (used with "kinit admin"), and the root password. I don't know
what other passwords would work.

Is there some way to force this, or reset it, without starting from
scratch? The added challenge is that the person who setup this version
of FreeIPA went on vacation for 2 weeks, so I have minimal background
with FreeIPA from an admin/install perspective.

Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from?

You're running a pretty old build so maybe we didn't have this quite working but we use a tool named certmonger to keep the SSL certificates valid. It could be that we weren't using certmonger then, or not enabling it correctly, I'm not sure. If you want to see then as root run: ipa-getcert list. This will show you the certificates that certmonger is monitoring (and I suppose it could be none or you could get a DBus error.

Since your infrastructure is probably down because of this here are the instructions you need to get going again. I hesitate because I don't want to make things worse for you by not understanding the history.

The Directory Manager is essentially the super-user of 389-ds. It gets a separate password when IPA is installed. See these instructions for resetting it: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword

I'm also curious why only the 389-ds cert has expired and not the Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d /etc/httpd/alias -n Server-Cert' will show you.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to