On Jan 20, 2011, at 17:32 , Rob Crittenden wrote:
Yes, that was going to be my next question. While throwing any old
self-signed cert in there might get the server up other things won't
work, notably replication.
Ok, here are some steps I worked out that I think will get you back
in business. I'm going to try to renew your 389-ds certificate using
First we need to get 389-ds back up and running.
I'm going to use REALM in place of the instance name for your 399-ds
1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif
2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd-
2. Edit dse.ldif and set nsslapd-security to off
3. Try starting dirsrv: service start dirsrv REALM
4. Get a kerberos ticket for admin: kinit admin
5. Generate a new CSR for your directory server:
certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio-
directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/
slapd-REALM/pwdfile.txt -a > renew.csr
6. Get a new certificate:
ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab >
7. Paste the value in the output for Certificate into a file. This
is a base64-encoded blob of text probably starting with MII and
ending with ==.
8. Add this new cert to your 389-ds database
certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a <
9. service dirsrv stop REALM
10. edit dse.ldif and set nsslapd-security to on
11. service dirsrv start REALM
I ran the majority of these steps against my own IPA installation
and nothing caught on fire. I hope you have equal success.
Rob, any more advice on this?
Step 5 fails, but it works if I remove the "NSS Cert...." part or of I
use "IPA..." something or other that I figured out.
But then step 6 fails, I get a "No Modification Requried" result when
I run the command, and nothing I did could get past that.
If I want to start from scratch with the new Beta release, how would I
dump the entire LDAP/KRB database so that I could import it into a new
The Docs mention doing regular backups, but they don't even tell how
to backup the data, whether to backups files (which ones?!) or to dump
the data into a file, and backup that.
Can I convert from the 1.9 alpha to a 2.0beta freeipa instance?
Freeipa-users mailing list