Ian Stokes-Rees wrote:
We have a deployment of IPA that we have been using successfully for 185
days. We are 3 days past the "half year" mark, and the self-signed cert
that was created with the original IPA install (FreeIPA v2 alpha) has
expired. I have created a new self-signed cert, PKCS#12 format, but I
cannot load it using the command:
ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap
When I try this, I am asked for:
Directory Manager password:
And I have no idea what this would be. I've tried the Kerberos "admin"
password (used with "kinit admin"), and the root password. I don't know
what other passwords would work.
Is there some way to force this, or reset it, without starting from
scratch? The added challenge is that the person who setup this version
of FreeIPA went on vacation for 2 weeks, so I have minimal background
with FreeIPA from an admin/install perspective.
Just so I have the full context, where did the original self-signed cert
come from? The initial cert should have been good for 12 months so I'm a
little confused. Do you know where the initial certificate came from?
You're running a pretty old build so maybe we didn't have this quite
working but we use a tool named certmonger to keep the SSL certificates
valid. It could be that we weren't using certmonger then, or not
enabling it correctly, I'm not sure. If you want to see then as root
run: ipa-getcert list. This will show you the certificates that
certmonger is monitoring (and I suppose it could be none or you could
get a DBus error.
Since your infrastructure is probably down because of this here are the
instructions you need to get going again. I hesitate because I don't
want to make things worse for you by not understanding the history.
The Directory Manager is essentially the super-user of 389-ds. It gets a
separate password when IPA is installed. See these instructions for
I'm also curious why only the 389-ds cert has expired and not the Apache
cert (or maybe you haven't noticed it yet). 'certutil -L -d
/etc/httpd/alias -n Server-Cert' will show you.
Freeipa-users mailing list