> Just so I have the full context, where did the original self-signed > cert come from? The initial cert should have been good for 12 months > so I'm a little confused. Do you know where the initial certificate > came from?
I have to plead ignorance, since it was our regular sys admin (away on vacation for 2 weeks) who installed this summer of 2010. I'm a "user" stuck with managing the system while he's away. I assume this cert came from the default installation process. He chimed in with a quick comment on our internal ticket, and said he doesn't know any details about the cert infrastructure of FreeIPA. > You're running a pretty old build so maybe we didn't have this quite > working but we use a tool named certmonger to keep the SSL > certificates valid. It could be that we weren't using certmonger then, > or not enabling it correctly, I'm not sure.If you want to see then as > root run: ipa-getcert list. This will show you the certificates that > certmonger is monitoring (and I suppose it could be none or you could > get a DBus error. Probably not running it: # ipa-getcert list Error org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files > > Since your infrastructure is probably down because of this here are > the instructions you need to get going again. I hesitate because I > don't want to make things worse for you by not understanding the history. > > The Directory Manager is essentially the super-user of 389-ds. It gets > a separate password when IPA is installed. See these instructions for > resetting it: > http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword Seemed straight forward, but it hasn't worked. After changing the password in the dse.ldif file I can't restart "dirsrv" successfully: our instance won't restart, but the PKI-IPA one will restart just fine. In either case, I can't execute the ipa-server-certinstall, as I get an error: # ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap Directory Manager password: an unexpected error occurred: Can't contact LDAP server: [stacktrace] DatabaseError: Can't contact LDAP server: Also, I should reiterate that the PKCS#12 file is *self signed*, but I notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA -- perhaps my cert needs to be signed by this CA? > I'm also curious why only the 389-ds cert has expired and not the > Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d > /etc/httpd/alias -n Server-Cert' will show you. Here you can see the expired cert and the 6 month lifespan: # certutil -L -d /etc/httpd/alias -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA" Validity: Not Before: Wed Jul 21 18:13:52 2010 Not After : Mon Jan 17 18:13:52 2011 Subject: "CN=nebio-directory.in.hwlab,O=IPA" _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users