A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs:

I'd rather run the commands one at a time, but my question is am I on the right track? Will this work? Other suggestions?


I know I'll probably have to reset the date on the server back a couple days and get a new ticket to make this work.


--- From: http://adam.younglogic.com/2011/08/httpd-cert/ ----

CSR=`mktemp`
PRINCIPAL=HTTP/`hostname`
CERT=`mktemp`

certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -g 1024 -a > $CSR
ipa cert-request $CSR --principal=$PRINCIPAL
ipa service-show $PRINCIPAL --out $CERT
certutil -A -d /etc/httpd/alias/ -n "Server-Cert" -t "u,u,u" -a -f /etc/httpd/alias/pwdfile.txt -i $CERT
---


$ sudo -l
sudo: ldap_start_tls_s(): Connect error
sudo: no valid sudoers sources found, quitting

---

[root@srv01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110706215109':
        status: SUBMITTING
        stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MYREALM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYREALM
        subject: CN=srv01.company.net,O=MYREALM.NET
        expires: 2012-06-03 20:19:49 UTC
        eku: id-kp-serverAuth
        track: yes
        auto-renew: yes
Request ID '20110706215129':
        status: SUBMITTING
        stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYREALM.NET
        subject: CN=srv01.company.net,O=MYREALM.NET
        expires: 2012-06-03 20:19:49 UTC
        eku: id-kp-serverAuth
        track: yes
        auto-renew: yes
Request ID '20110706215145':
        status: SUBMITTING
        stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYREALM.NET
        subject: CN=srv01.company.net,O=MYREALM.NET
        expires: 2012-06-03 20:19:49 UTC
        eku: id-kp-serverAuth
        track: yes
        auto-renew: yes

---

[root@srv01 ~]# tail -1 /var/log/httpd/error_log
[Tue Jun 05 13:11:06 2012] [error] SSL Library Error: -12269 The server has rejected your certificate as expired

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to